Click here to Skip to main content
15,867,308 members
Articles / All Topics

When Insecure Responses and Certificate Transparency Completely Break Electron

Rate me:
Please Sign up or sign in to vote.
5.00/5 (1 vote)
17 Jan 2017CPOL2 min read 4.4K  
When Insecure Responses and Certificate Transparency Completely Break Electron

When Insecure Responses and Certificate Transparency Completely Break Electron

A few months back, I wrote up a short summary on using Electron to easily build, package, and deploy a web site or application. If you were to have followed such a tutorial, you may be coming back here looking for a post like this, because, in all likelihood, your application stopped working.

I'd just like to say - don't blame me, this wasn't my fault.

Why Did My Electron Stop Working?

If you attempted to use your application built with Electron, you very likely opened it up only to see an empty blank screen:

When Insecure Responses and Certificate Transparency Completely Break Electron

If you had the Developer Tools enabled within your application, you could quickly see exactly what was going wrong:

Failed to load resource: net::ERR_INSECURE_RESPONSE

What was wrong? Your certificates were all in order, your site loaded just fine yesterday under https, everything was right in the world. And yet here you stood, with Electron clearly letting you know that maybe you weren't the security guru that you thought you were.

You'll be happy to learn that you did everything right, and that this wasn't your fault at all.

Chrome, You Got Some Splainin' To Do

As you probably know, Electron has a dependency on Chrome under the hood to handle all of its web-related goodness, such as rendering. Well, sometimes people make mistakes. Bugs happen, and that's exactly what is going on here.

If your SSL/TLS certificate authority was one of the following entities, you are likely experiencing this issue:

  • Symantec
  • GeoTrust
  • Thawte

The problem, is that Electron's underlying library to handle Chrome, libchromiumcontent has a bug that could cause these completely valid certificates to be incorrectly rejected. Specifically rejected 10 weeks after the libchromiumcontent library was previously built. You can read more about the specifics in this post here.

This can explain why with no changes whatsoever, your Electron application just simply stopped working.

Just Update It™

If you experience this issue and find your application not working, you simply need to update Electron to the latest version (or at least a version later than 1.4.12).

This can generally be done by a quick npm update:

npm update electron

After updating the package, you should be able to rebuild your application and redistribute it as expected:

When Insecure Responses and Certificate Transparency Completely Break Electron

A few other more ghetto approaches to handling this issue would be to either explicitly disable invalid certificates within your Electron application, which could be done via the following line within your main.js file:

JavaScript
app.commandLine.appendSwitch('ignore-certificate-errors');  

Or by turning off web security, which ensures that non-secure traffic is not served:

JavaScript
// Create the browser window.
mainWindow = new BrowserWindow({  
      width: 1024, 
      height: 768,
      icon: __dirname + '/favicon.ico',
      // This handles disabling web security
      webPreferences : {
        webSecurity: false
      }
})

Again - it is recommended to simply update Electron, but it's likely that these workarounds would technically resolve the problem as well.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Software Developer (Senior)
United States United States
An experienced Software Developer and Graphic Designer with an extensive knowledge of object-oriented programming, software architecture, design methodologies and database design principles. Specializing in Microsoft Technologies and focused on leveraging a strong technical background and a creative skill-set to create meaningful and successful applications.

Well versed in all aspects of the software development life-cycle and passionate about embracing emerging development technologies and standards, building intuitive interfaces and providing clean, maintainable solutions for even the most complex of problems.

Comments and Discussions

 
-- There are no messages in this forum --