Vivaldi disregards Chrome policies

klXXdpag

Hi all!

I am a happy Vivaldi user at home; now I wanted to try V on my workplace PC, too.

However at our corporation, most internal websites are signed using our internal root CA, without published "transparency logs".
And Vivaldi shows net:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error and the broken lock icon on all of them!

(To be precise, our CA is not a real root CA, because it has a valid trust chain from GlobalSign, so read as "local root" )

With Chrome we have an appropriate setting to whitelist our internal sites. (see [1]). It boils down to some Windows Registry keys documented here.
Especially the key CertificateTransparencyEnforcementDisabledForCas is pivotal for us, in order to whitelist exactly those sites having certificates based on our internal root CA.

However Vivaldi seems to ignore that setting, leaving me with tons of security warnings, and more importantly no password manager!!

Who is able to help me?

klXXdpag

Hi Gwen,

thanks for responding

I added the internal CA to Trusted Root Certificates, however that makes no difference.
From Windows point-of-view, the certificate was valid before, and still is valid (after all, there is a valid chain of trust up to GlobalSign Root CA).

Still Vivaldi tells me, the certificate is invalid, because of missing Transparency logs (as checked by Chromium engine).

Currently I have a registry key below HKEY_LOCAL_MACHINE, as documented in the link above:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas
...and there one entry "1" with sha256 key for our CA.

Sadly all registry changes are subject to our corporate device management. I can't apply any changes or add new entries (not even to HKEY_CURRENT_USER which should "belong" to me), due to missing admin rights.
So, our corporate system admins did care for Chrome, but obviously not for Vivaldi (and most probably I will not be able to reach ends for this).

I am on Vivaldi 2.3.1440.48 (Stable channel) (32-Bit).

klXXdpag

OK, that would make sense.

However it seems I do not have permissions to edit the Registry, neither in HKEY_LOCAL_MACHINE nor HKEY_CURRENT_USER

So, unless someone comes up with a different idea, it seems I will have to choose between
a) ditching Vivaldi again in favor of our corporate Chrome.
b) using Vivaldi and getting mad about non-functional password manager
c) trying to convince our global IT management to formally introduce Vivaldi -- most probably leading to a) by management order

klXXdpag

Curious...
I can create and edit registry keys below HKEY_CURRENT_USER\Software\Vivaldi, but not below HKEY_CURRENT_USER\Software\Policies

I know, hardening security is a primary goal in our organisation. Generally I agree on this, only now I feel frustrated

Is there anything I can set below HKEY_CURRENT_USER\Software\Vivaldi I could set to help me?

Pathduck

It could be worth it to try to create a .reg file and execute it to add to the registry, even if editing directly is forbidden. But probably it won't work either as that location is meant to be used for GPOs and distributed by domain admins.

https://support.microsoft.com/nb-no/help/310516/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg
Always worth a try

In the end I suspect the last thing to do is to ask the admins nicely to add this, explain your use case and why you need it. It would help if your job actually involves use of a browser, for instance searching for information and using sites more efficiently. You need to convince them you are have the technical skills to fix stuff yourself if it doesn't work after they help you, they are not interested in being your personal IT support

There are usually very good reasons why a company would restrict browser choice, for one it would be a mess to have IT support for all the different browsers, and also testing different intranet sites in every browser takes time.

This is one reason at my work I used Firefox (Portable), as it allows stuff like adding certificates and all settings by the user, while Chrome/Vivaldi is locked to a lot of OS settings - which IMO is a Bad Bad Thing. After a while they relaxed their policies as they understood a lot of the tech/developer types wanted to have a choice of browser, and not be stuck with IE forever

Chrome - The New Internet Exploder, For Your Enterprise Needs

klXXdpag

Of course I tried using a .reg file, too. But no luck there as well, only some error message

I will try discussing this with admins.
At least my tasks include QA and dev support, so I might have a chance.

But browser "harmonization" actually is an IT goal, in order to reduce chances for not-up-to-date browsers (read: security risks).
And I am afraid, any colleague will be able to unmask my reasons as poor excuses ("so why don't you just use our corporate Chrome instead??")

Thanks for your support, nevertheless

prathapml

@klXXdpag
Perhaps you have moved on in the last year, but here's a solution for others in the same situation. Yes it is simple, no it does require time. Definitely isn't for a home-user that's happy with the in-browser Settings dialog box. I will describe it broadly, you'd have to lookup the details.

Basically, be aware that there are 3 ways to "admin" Chromium-based browsers. Via GPO centrally, via registry locally, and via JSON locally for a stand-alone install. Your "corporate Chrome" uses one of the first 2, your requirement as a non-admin user can be satisfied by the 3rd option.

Steps:

1. Prepare the policies to your liking. Download the Google Chrome MSI and ADMX admin-policy template. Import the policy files on a test PC, play around in the GPedit.msc to set policies, see which settings you want, maybe some settings are deprecated and you need to pick an alternative, maybe you want to force-install a few extensions on first run. When it is all just right, test it on Vivaldi by changing the RegistryPath to HKLM\SOFTWARE\Policies\Vivaldi. I mean, export the Chrome policies, edit REG file, import as Vivaldi policies. This is the step that OP has probably done already on his home PC.

2. Convert those registry policies to a JSON file. In Vivaldi address bar, type chrome://policy which will promptly redirect to vivaldi://policy. Click the "Export to JSON" button, and save the file, maybe open in Notepad and clean it up if you like.

3. Place the file to apply policies. Take the prefs-JSON file you created/cleaned in step2 above, rename it to master_preferences without a file-extension. Place it in the same folder as vivaldi.exe. For example, you may have a portable/stand-alone install where the EXE is located at D:\Apps\Vivaldi\Application\vivaldi.exe. The policy file would sit right next to the EXE, at D:\Apps\Vivaldi\Application\master_preferences.

4. Testing first. I repeat, test all this at home if you can. If not the trust certificate, try applying some other settings/policy in this method. Delete the Vivaldi policies that you imported into HKLM registry in step1, restart, verify that the expected settings are definitely being applied from the JSON file. If something isn't right, you'd rather catch it at home (preferably in a VM) than waste time and pull your hair out at work.

5. Having said that, I confirm that this method does work with Vivaldi/Opera/ChrEdge/Chromium. Obviously, my pick of the lot is Vivaldi. It's just a shame that the old Opera engine (my beloved!!!) was junked, and then the new Opera went to pot... The only real alternative left is Firefox and THAT is a different can of worms.

6. Caution: If you are force-installing an extension on Opera/ChrEdge, it has to be from, and exist on that browser's own Extension-Store. No matter whether you are doing so using GPO/reg/json.

If it helps, know that it has taken you longer to read and comprehend all this, than it will take to actually do it.

For the curious, in the address bar go to about:about in Chrome/Chromium to see a full list of internal settings/diagnostics pages that you can lookup in all Chrome-based browsers (including Vivaldi).