SHA1 signed certificates accepted with no warning

[nicdoye]

Web sites using the SHA-1 Signature hash algorithm are displayed in the browser without even a warning. (Brave 0.8.2). I believe Brave should block connections to such sites as Firefox already does, and Chrome, IE and Edge by Jan 01 2017.

• Chrome 49 shows a red cross on the padlock, and the "https" part of the URL is also red with red line through it. They will completely stop supporting SHA-1 by Jan 01 2017.
• Firefox has rejected such sites since version 43 (Jan 01 2016) bringing up a page saying "Your connection is not secure" and does not connect to the site (unless you add an exception). (Tested with 45.0.1)
• Microsoft Edge will "deprecate" them later this year and block them by Jan 01 2017. (Currently, version 25.10586.0.0 issues no warning and displays the page).
• Microsoft IE will presumably be aligned with the Edge timescales, if it is a pan-Microsoft decision (Currently, version 11.103.10586.0 issues no warning and displays the page).
• Opera - I can't find anything about their policy and don't have it installed.
• Vivaldi - I can't find anything about their policy and don't have it installed.

[diracdeltas]

I think we should display sha1 certs as non-secure. Right now there is no way to get cert info unless there's a certificate error but that is a todo for 1.0.

[nicdoye]

Would you need an extra prop to check in in SiteInfo.render(), other than isSecure and isMixedContent to set the icon to (some colour lock/unlock)?

Or would you set a certificate error (which I think happens via an electron ipc.send() call from the loadStart() event listener in Frame.addEventListners) and deal with it like that?

[diracdeltas]

We would modify our fork of electron to send the cert info via IPC when the tls connection is established.

[bbondy]

Adding @bridiver for this.

[bridiver]

cert information could be made available in the navigation-entry-commited event

[diracdeltas]

it would be useful if electron could send the parsed x509 cert info in addition to the raw cert, so the browser doesn't have to re-parse it in JS. the only fields i can think of that the front-end needs to know about (for now) are whether there's a SHA1 signature in the chain and whether the end cert is Extended Validation. though if the user wants to inspect the cert, it's handy to show them both the raw cert and the parsed fields.

[bridiver]

it is available from AtomSecurityStateModelClient and we could fire an event when it changes with SecurityStyleChanged

[luixxiul]

Setting 1.0 milestone based on the comment by @diracdeltas above.

[diracdeltas]

As of 0.12.9, Brave will show the insecure UX for sha1 certs that expire after 2017. Hooray!

Test Plan:

1. go to https://sha1-2017.badssl.com/
2. observe the insecure icon in the urlbar instead of the secure icon