When Insecure Responses and Certificate Transparency Completely Break Electron
A few months back, I wrote up a short summary on using Electron to easily build, package, and deploy a web site or application. If you were to have followed such a tutorial, you may be coming back here looking for a post like this, because, in all likelihood, your application stopped working.
I'd just like to say - don't blame me, this wasn't my fault.
Why did my Electron stop working?
If you attempted to use your application built with Electron, you very likely opened it up only to see an empty blank screen :
If you had the Developer Tools enabled within your application, you could quickly see exactly what was going wrong :
Failed to load resource: net::ERR_INSECURE_RESPONSE
What was wrong? Your certificates were all in order, your site loaded just fine yesterday under https, everything was right in the world. And yet here you stood, with Electron clearly letting you know that maybe you weren't the security guru that you thought you were.
You'll be happy to learn that you did everything right, and that this wasn't your fault at all.
Chrome, you got some splainin' to do.
As you probably know, Electron has a dependency on Chrome under the hood to handle all of its web-related goodness, such as rendering. Well, sometimes people make mistakes. Bugs happen, and that's exactly what is going on here.
If your SSL/TLS certificate authority was one of the following entities, you are likely experiencing this issue :
- Symantec
- GeoTrust
- Thawte
The problem, is that Electron's underlying library to handle Chrome, libchromiumcontent has a bug that could cause these completely valid certificates to be incorrectly rejected. Specifically rejected 10 weeks after the libchromiumcontent library was previously built. You can read more about the specifics in this post here.
This can explain why with no changes whatsoever, your Electron application just simply stopped working.
Just Update It™
If you experience this issue and find your application not working, you simply need to update Electron to the latest version (or at least a version later than 1.4.12).
This can generally be done by a quick npm update :
npm update electron
After updating the package, you should be able to rebuild your application and redistribute it as expected :
A few other more ghetto approaches to handling this issue would be to either explicitly disable invalid certificates within your Electron application, which could be done via the following line within your main.js
file :
app.commandLine.appendSwitch('ignore-certificate-errors');
Or by turning off web security, which ensures that non-secure traffic is not served :
// Create the browser window.
mainWindow = new BrowserWindow({
width: 1024,
height: 768,
icon: __dirname + '/favicon.ico',
// This handles disabling web security
webPreferences : {
webSecurity: false
}
})
Again - it is recommended to simply update Electron, but it's likely that these workarounds would technically resolve the problem as well.