1243360 - Firefox 44: Error message about untrusted connection not correct

Status: RESOLVED INCOMPLETE

(Core :: Security: PSM, defect)

Description

[petra.mueller29]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160106231004

Steps to reproduce:

Open a website that is using SSL together with either a self-signed certificate or where the root certificate is untrusted or not in certificate store on the browser or system. A warning will appear then.


Actual results:

In the latest version of Firefox a new error message for both self-signed and untrusted certificates has been introduced, saying "the owner of domain.tld hasn't configured the website correctly."

That is not necessarily true: It could be that the system or the browser just do not have the root certificate installed or that they don't trust them. Then this is not an issue of the server but of the client!


Expected results:

Please correct the error message and make it more clear.

Comment 1

[Loic]

Link to website please?

Comment 2

[petra.mueller29]

For instance: https://wrong.host.badssl.com/

Comment 3

[petra.mueller29]

Attachment: FF44_TLSError.png

Example error message (in german)

Comment 4

[petra.mueller29]

Please also compare https://entwickler-ecke.de
The CA there is the admin himself (grohne-ASDC2-CA) but that does not mean that the server is configured wrong as the error states.

Comment 5

[:Cykesiopka]

Thanks for filing the report.

Changes were made in Bug 1131227 to add two more strings to address the unimported root certificate case.

Regardless, I not sure think making changes here are worth it. The error wording here, as I understand it, is geared towards helping average users understand the risk of such issues, and adding too much (confusing to average user) text just to satisfy power users that already should know that the tradeoffs are seems like the wrong tradeoff.

I feel like WONTFIXing this. David, any thoughts?

Comment 6

[petra.mueller29]

I would change the sentence "The owner of Domain.TLD hasn't configured the webserver correctly" to   something like "The issuer of the certificate is unknown and therefore FireFox doesn't trust the connection" or "The certificate is self signed and therefore FireFox doesn't trust the connection"

That'd be correct and easy to understand for everyone IMHO. Right now non-power-users are really confused and not sure whether they should take the risk to accept the certificate and visit the website.

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Petra, if you click the "Advanced" button, does the text there adequately explain the situation?
In any case, Cykesiopka is right - our goal is to optimize the UX for the common case, which basically means non-technically savvy users and expired certificates.

Comment 8

[petra.mueller29]

David, yes the text found under "Advanced" explains it much more accurate. 
I wish you would encounter the text without needing to click the "Advanced" button first.

Just a short but true anecdote: 
I once set up a website with a self signed certificate (back when there wasn't Let's Encrypt or Startcom) and asked my parents, who are definitely non-technical persons, to visit it. The reaction was "It says the connection is not secure, what shall I do?" and "Are you certain it's fine?"
After telling them that I created the certificate myself and since I didn't want to spend money I decided to sign it myself instead of let it be signed by an official authority and that's why the browser now throws this warning, they were fine about it, knowing that the SSL connection was actually secure, though it was not approved by an official CA.

I would like to give a non-technical savvy users a short and easy to understand explanation about what is going on, so that they are not made feeling unsure. That's why I like to ask to give me some time to interview some of my technical untalented friends about their experience with it and then I will report back -- hopefully with an sensible solution with which everyone is satisfied. :-)

Comment 9

[goosbyk2015]

Greetings, I have been getting "Untrusted Connection" when I tried to go to any of the following page with no way of add an exception: most of anything google related and Facebook login. I don't know if it is a problem with Sea Monkey's latest update or what. I would like to have this resolved. 

mail.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>

www.facebook.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>

Comment 10

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

The most likely reason you're seeing that message is because you're connecting through a TLS intercepting proxy (either one running locally on your machine, such as antivirus software, or one running on your network, such as a firewall). To resolve this issue, what you should be able to do is determine what root certificate the proxy is expecting you to trust and importing it via the certificate manager.