Chrome does not trust the SSL certificate of Box's CDNs
AnsweredHello folks, trying to load Box's file picker from either of these URLs
* https://app.box.com/js/static/select.js
* https://cdn01.boxcdn.net/js/static/select.js
results in the following warning in the console of Chrome 64.0.3282.167 on OS X:
"The SSL certificate used to load resources from [one of the domains above] will be distrusted in M66. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information."
Chrome 66 is slated for release to beta 3/15/2018—less than a month from now. What is your timeline for fixing this issue? Our only recourse at present is to disable the file picker in our application.
-
Hi !
Thank you so much for posting about this - seriously, the diligence of our community to help us out is amazing. I can confirm that we are aware of Chrome's pending deprecation of support for Symantec-issued Certificates and we will be in compliance before the deadline.
For now, those messages should only be *warnings* in the console, and any customers running Chrome 64 should still be good to go! Functionality remained in my tests with Chrome 65, and I only ran into issues when further testing with Chrome Canary which is on 66.
Hope that helps alleviate some of the concern, and again thank you so much for bringing it up!
Thanks,
Jason
-
Hey , thanks for your reply. Glad to report the issue, though I would have expected some sort of advisory about this somewhere on box.com, couldn't find one.
Thanks for testing that functionality will remain up until Chrome 66.
Can you confirm that you'll be in compliance some days before the deadline? If you are not, we will have to make preparations to pull the picker from our application—we won't want to wait right up until 3/15.
-
Hi ,
We're aiming to have it all done early, yes. I can't say exactly when unfortunately. It's in progress right now, but like with any project things can come up and change our expected dates.
If this was something like a new release of an application or something more common, I'd be able to give you more of a definite date, but the nature of this particular undertaking is a bit more fluid.
Definitely acknowledge the want for more of an advisory. We've done something similar in the past for other security-related topics. Given this forum thread I think that's something we'll try to put together.
Thanks,
Jason
-
Update: two weeks now and the issue still isn't fixed.
Two weeks from today, your application will break.
1.5 weeks from now, we will have to disable Box in our application. We just can't wait till the last minute on this. We'll need to tell our users (unfortunately) what is happening.
-
I just tested loading the JS file from https://cdn01.boxcdn.net/js/static/select.js and the certificate warning is no longer present. You should be all set to load the File Picker from CDN.
-
Hi , I can confirm that the warning is no longer present for cdn01.boxcdn.net, the origin you and the file picker docs suggest.
I still get the warning for
https://app.box.com/js/static/select.js. I do not know where this link came from, but it appears to be the identical script (perhaps your documentation suggested using it at some time) and our code was using it just fine; I encourage you to fix that origin too so that you do not break existing integrations.
However I will accept your reply as the solution since it's easy enough for us to switch over.
Thanks!
Please sign in to leave a comment.
Comments
6 comments