Closed
Bug 1450784
Opened 6 years ago
Closed 6 years ago
Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED
Categories
(Firefox :: Security, enhancement, P1)
Firefox
Security
Tracking
()
VERIFIED
FIXED
Firefox 66
People
(Reporter: bugzillaPost120030in, Assigned: johannh)
References
(Blocks 1 open bug)
Details
User Story
Attachments
(1 file)
I get this message erroneously: >Your connection is not secure >The owner of www.youtube.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. >This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate. >www.youtube.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER (The error code is clickable, but brings up the text of the cert, not something useful. ) The message says things that **aren't true**. I installed Kaspersky and it's causing this. We have a useful page for helping folks understand and address this problem, at https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER , but we're not directing folks to it. It's NOT TRUE that "The owner of www.youtube.com has configured their website improperly." Looking in comm-central, it looks like the error message is in 3 places, currently : https://dxr.mozilla.org/comm-central/search?q=The+owner+of+has+configured+their+website+improperly.&redirect=false ; so I'm not sure which component to file this under; making a guess at an appropriate initial choice. I'm not sure if that troubleshooting page covers all reasons for seeing the "The owner of <span class='hostname'/> has configured their website improperly. To protect your information from being stolen, &brandShortName; has not connected to this website.">" I propose changing it to something like It seems that the owner of <span class='hostname'/> has configured their website improperly. To protect your information from being stolen, &brandShortName; has not connected to this website. To troubleshoot this error, [see this support article]."> A smaller but perhaps also appropriate change would be to have the SEC_ERROR_UNKNOWN_ISSUER text link to the support article instead of do what it currently does.
Moving to an appropriate component so it can be triaged. I think there are existing bugs on this, but from a cursory search I couldn't find anything.
Component: Security: Review Requests → Security: PSM
Product: Firefox → Core
|
||
Comment 2•6 years ago
|
||
All text changes are Firefox security now and not PSM. There's bug 1442203 to track progress of improving error pages. Note that HSTS trumps any other error like unknown issuer because Firefox knows that there's a good cert for that page. I don't think this should change. That said with the new man-in-the-middle detection we might want to give that priority over HSTS.
Blocks: better-cert-errors
Component: Security: PSM → Security
Product: Core → Firefox
|
Assignee | |
Comment 3•6 years ago
|
||
We have sufficient indication from Telemetry that MOZILLA_PKIX_ERROR_MITM_DETECTED is catching quite a bunch of sites and would like to start warning users when they hit an MitM induced error. https://mzl.la/2NzmHrI
Priority: -- → P2
Summary: Error message should be more useful when AV is interfering with SSL connections. → Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED
|
|
Assignee | |
Updated•6 years ago
|
User Story: (updated)
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: P2 → P1
|
|
Assignee | |
Comment 4•6 years ago
|
||
|
||
Updated•6 years ago
|
Attachment #9027455 -
Attachment description: Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,franziskus,keeler → Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/05e25df4db43 Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
|
||
Comment 8•6 years ago
|
||
Backed out for failing bc at browser/base/content/test/static/browser_misused_characters_in_strings.js Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&selectedJob=215446843&revision=05e25df4db432b6f877658287774d52adf758c43 Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=215446843&repo=mozilla-inbound&lineNumber=1813 Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/3285b6018d3aa3d02e8a1f4b359e3aaeab58d8d2
Flags: needinfo?(jhofmann)
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8c51ad4a6b72 Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
|
||
Comment 10•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8c51ad4a6b72
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(jhofmann)
|
||
Updated•5 years ago
|
Target Milestone: Firefox 65 → Firefox 66
|
||
Comment 12•5 years ago
|
||
Both certificates Bypassable and Non-Bypassable error certificates Verified on following Nightly build:
Build ID 20190117095319
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
|
|
||
Updated•5 years ago
|
status-firefox66:
--- → verified
|
|
||
Comment 13•5 years ago
|
||
Verified on the following build.
Build ID 20181207093029
User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•