Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate Transparency issue with Chrome 99+ #15

Open
andyacer opened this issue Mar 22, 2022 · 8 comments
Open

Certificate Transparency issue with Chrome 99+ #15

andyacer opened this issue Mar 22, 2022 · 8 comments

Comments

@andyacer
Copy link

andyacer commented Mar 22, 2022

It looks like the configuration provided by this module is in conflict with Chrome 99+ on Android. This is due to the new Certificate Transparency enforcement that went live in Android's Chrome 99 on March 1, 2022.
https://support.google.com/chrome/a/answer/7679408

This is just an FYI - I'm not sure what the best path forward is on this.

See below for the error received when proxying traffic when using the movecert module. This is with Burp Suite on Chrome 99+ on Android 11. Duplicated on Android 12.

image

@yossijo
Copy link

yossijo commented Mar 27, 2022

I'm experiencing the same with a different mitm proxy

@wrongway213
Copy link

See here for more info on the issue. The only fix seems to be installing certificate in both user store and system store. AdguardTeam/AdguardForAndroid#4124 (comment)

@andyacer
Copy link
Author

Awesome thanks @wrongway213

The answer as I understand it: install the certificate in both locations, the System store and the User store. Then hide the System store version from Chrome using Magisk -> Settings -> Zygisk (Beta) + Enforce DenyList + Configure DenyList for Chrome (system app).

If I get this working I'll add more fidelity here with screenshots and steps.

@wrongway213
Copy link

You're very welcome @andyacer but there's one major issue:
Hiding Chrome in Magisk is known to cause a wide array of issues. What is needed is a solution that allows the certificate to reside both in user and system store, without hiding Chrome from Magisk. It appears the certificate needs to actually be installed in both locations, with a mechanism to make browser(s) fall back to the user certificate.

@floyd-fuh
Copy link

floyd-fuh commented May 24, 2022

Btw. the issue is also discussed here https://forum.portswigger.net/thread/android-chrome-99-certificate-transparency-feature-blocks-burp-certificate-929ab74d
I would appreciate it if the script would change from "Move" (mv) to "Copy" (cp) as a minimum

@andyacer
Copy link
Author

andyacer commented Jul 17, 2022

PR has been submitted with a fix for the Chrome CT issue.

This fix changes the behavior of this script to copy instead of move the certificate. The certificate now resides both in the System store and the user store. By using Zygisk and the Enforce DenyList feature to hide Magisk from Chrome, this seems to fully address this problem.

Recommended way to use this module:

  1. Install the updated Move Certificates module.
  2. Install the desired certificate to user store.
  3. In Magisk, enable Zygisk, enable Enforce DenyList and then add Chrome to the DenyList.
  4. Reboot your phone.
  5. Chrome should work using the certificate in the user store, and all the other apps should work using the certificate in the system store.
  6. If you want to add any other apps later, just add them to the Magisk Hide list/DenyList, then force stop that app. Next time it launches it should use the certificate in the user store. Removal works the same way.

@at3s
Copy link

at3s commented Oct 11, 2022

PR has been submitted with a fix for the Chrome CT issue.

This fix changes the behavior of this script to copy instead of move the certificate. The certificate now resides both in the System store and the user store. By using Zygisk and the Enforce DenyList feature to hide Magisk from Chrome, this seems to fully address this problem.

Recommended way to use this module:

  1. Install the updated Move Certificates module.
  2. Install the desired certificate to user store.
  3. In Magisk, enable Zygisk, enable Enforce DenyList and then add Chrome to the DenyList.
  4. Reboot your phone.
  5. Chrome should work using the certificate in the user store, and all the other apps should work using the certificate in the system store.
  6. If you want to add any other apps later, just add them to the Magisk Hide list/DenyList, then force stop that app. Next time it launches it should use the certificate in the user store. Removal works the same way.

good answer, thank you

@JelmerDeHen
Copy link

Hi, I have created a module to solve this via Chrome flags.
https://github.com/JelmerDeHen/MagiskBypassCertificateTransparencyError

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

6 participants