Closed
Bug 1484006
Opened 6 years ago
Closed 5 years ago
[meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement
Categories
(Web Compatibility :: Site Reports, defect, P1)
Tracking
(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 affected)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | affected |
People
(Reporter: kathleen.a.wilson, Unassigned)
References
Details
(Keywords: site-compat)
Bug #1460062 implements the distrust of any TLS certificate that chains up to an old Symantec root, regardless of when it was issued. Reference: https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/ On August 14, 2018, users of Firefox Nightly (FF 63) started getting the MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED for websites whose SSL certificates still chain up to the old Symantec root certs The purpose of this bug is for Firefox Nightly users to report the websites for which they run into this error, rather than filing a bug for each problematic site.
Reporter | ||
Comment 1•6 years ago
|
||
I have closed Bug #1436062, since it was in regards to the previous phase of the distrust of the old Symantec roots. Here's a list of the sites that were reported in that bug, but are in regards to the current phase. https://www.orange.fr/ https://www.hsbc.fr https://my.ebay.co.uk/ https://www.johnlewis.com/ https://www.pcworld.co.uk/ https://www.currys.co.uk/ https://www.southwesttrains.co.uk/ https://home.bt.com/ https://www.o2.co.uk/ https://oyster.tfl.gov.uk/ odeon.co.uk cineworld.co.uk myvue.com https://www.mcdonalds.com https://www.addisonlee.com/ https://uk.lush.com/ https://www.free.fr/ https://www.republicservices.com/ bofa online banking billpay page
Comment 3•6 years ago
|
||
important |
Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the warnings presented when accessing about:config.
Comment 5•6 years ago
|
||
https://www.consumerreports.org/
Comment 6•6 years ago
|
||
https://www.iso10383.org/
Comment 7•6 years ago
|
||
https://www.autotrader.co.uk/ https://www.santander.co.uk/ https://www.nationwide.co.uk/ are what I've hit so far.
Comment 8•6 years ago
|
||
https://www.etymonline.com/ Is one I just ran into.
Comment 9•6 years ago
|
||
https://www.onlinebrokerage.cibc.com/
Comment 10•6 years ago
|
||
https://bahn.de (one of the biggest (probably the biggest?) public transport providers in Germany)
Comment 12•6 years ago
|
||
as per bug 1483734: https://online.sberbank.ru/ https://www.my.commbank.com.au/ https://www.paypal.com/ several subdomains on ebay: https://www.ebay.de/itm/Gamer-PC-ASUS-AMD-Ryzen-3-2200G-4x3-7GHz-256GB-SSD-DDR4-Komplett-PC-System-/392054494595 iframe: https://screenshots.firefox.com/p49KeXQavMeNGGKa/www.ebay.de https://www.ebay.com/itm/HP-10-P010NR-10-1-Touch-Laptop-Intel-Atom-X5-Z8350-1-44GHz-2GB-32GB-Windows-10/263455736394 iframe: https://screenshots.firefox.com/snB1YvfYHAoM5NQv/www.ebay.com Should this bug rather life under "Tech Evangelism" as it is about something the owners of those sites have to change?
Comment 13•6 years ago
|
||
https://scgi.ebay.com.au (e.g. serving verification codes for form submission) Screenshot: https://screenshots.firefox.com/UJZpXJEAuTyvCgZS/contact.ebay.com.au
Comment 14•6 years ago
|
||
Add https://secure.osp.ovh.com/ to the list.
Comment 16•6 years ago
|
||
https://www.ndtv.com/ as per bug 1484426
Comment 17•6 years ago
|
||
https://netvibes.com is broken because cdn.netvibes.com uses a Symantec certificate.
Reporter | ||
Updated•6 years ago
|
Assignee: nobody → nobody
Component: CA Certificates Code → Desktop
Product: NSS → Tech Evangelism
Version: 3.35 → unspecified
Reporter | ||
Comment 18•6 years ago
|
||
(In reply to Albert Scheiner [:alberts] from comment #12) > > Should this bug rather life under "Tech Evangelism" as it is about something > the owners of those sites have to change? Good point. I updated the bug component/product. Thanks.
Updated•6 years ago
|
Keywords: site-compat
Comment 20•6 years ago
|
||
2 of 4 Japanese major bank sites are blocked due to Symantec EV cert: https://web.ib.mizuhobank.co.jp/ https://www.resonabank.co.jp/
Comment 21•6 years ago
|
||
Add: https://www.duke-energy.com/our-company/about-us/smart-grid/smart-meter
Comment 22•6 years ago
|
||
https://www.avg.com/en-au/homepage lol
Comment 23•6 years ago
|
||
https://nvidia.custhelp.com/
Comment 26•6 years ago
|
||
https://login.frontier.com as per bug 1484546
Comment 27•6 years ago
|
||
https://online.virginmoney.com/
Comment 28•6 years ago
|
||
https://www.privatbank.ua/ https://www.olx.ua/
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18304
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18215
Comment 29•6 years ago
|
||
https://www.sciencenews.org/
Comment 30•6 years ago
|
||
https://trafficinfo.westjr.co.jp/ Some sites under jal.co.jp https://www.5971.jal.co.jp/ https://www121.jal.co.jp/ https://sp.jal.co.jp/ https://intltoursearch.jal.co.jp/
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 32•6 years ago
|
||
another affected site: https://www.docusign.net - still works on home page but after login not working anymore. --> https://na2.docusign.net/member/MemberLogin.aspx?ReturnUrl=/Member
Comment 33•6 years ago
|
||
https://login.dpreview.com
Comment 35•6 years ago
|
||
https://www.accc.gov.au/
Comment 36•6 years ago
|
||
https://pay.ebay.com.au
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 37•6 years ago
|
||
https://www.surugabank.co.jp/ (Planning to fix the situation) https://www.jcb.co.jp/ (Planning to fix the situation) https://faq.jcb.co.jp/ (Planning to fix the situation) https://jcb.custhelp.com/ (Planning to fix the situation) https://www.okidokiland.com/ https://www2.cr.mufg.jp/ https://mail.ocn.ne.jp/ https://sp5971.jal.co.jp/
Comment 38•6 years ago
|
||
I know ebay is already in here for a bunch of domains, but there's also: https://cgi5.ebay.com Which seems to be used for selling items. Also: https://1eaf.cardinalcommerce.com/ Which was used by homedepot.com to do the verified by AmEx (and presumably verified by VISA) thing.
Comment 39•6 years ago
|
||
You can add the Playstation Store to the list of sites https://store.playstation.com
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18365
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 41•6 years ago
|
||
Ameriprise Financial login https://www.ameriprise.com/client-login/
Updated•6 years ago
|
Updated•6 years ago
|
Comment 43•6 years ago
|
||
Navy Federal Credit Union's online Banking: https://myaccounts.navyfederal.org First National Bank of Pennsylvania's online banking: https://banking.fnb-onlinebankingcenter.com (the general sales-pitch landing page for both institutions is fine, it's just the online banking area that's using a Symantec cert in both cases)
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18355
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/16109
Comment 44•6 years ago
|
||
https://www.privilegepurchaseclub.co.uk/
See Also: → https://webcompat.com/issues/14287
Updated•6 years ago
|
Updated•6 years ago
|
Comment 46•6 years ago
|
||
https://www.lhv.ee/ (Estonian bank heavily relying on online banking) fails as well.
Updated•6 years ago
|
Updated•6 years ago
|
Comment 48•6 years ago
|
||
https://www.intel.co.jp/ (Intel Driver & Support Assistant Tray is affected)
Comment 49•6 years ago
|
||
Updated info for comment #30 and comment #37. Sites below will be fixed before 2018-10-16. https://www.5971.jal.co.jp/ https://www121.jal.co.jp/ https://sp.jal.co.jp/ https://intltoursearch.jal.co.jp/ https://sp5971.jal.co.jp/ https://www.jcb.co.jp/ https://faq.jcb.co.jp/ https://www.okidokiland.com/ https://jcb.custhelp.com/ https://www.surugabank.co.jp/ Sites below is now fixed. https://trafficinfo.westjr.co.jp/
Comment 50•6 years ago
|
||
I can not enter https://www.thesims3.com without getting this error and there is no option to add this public site to an exception list. I am using the Nightly browser.
Comment 51•6 years ago
|
||
add BMO Harris Bank bill pay to the list please
Comment 52•6 years ago
|
||
https://particuliers.societegenerale.fr/ (subdomain related to pictures and CSS)
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment hidden (offtopic) |
Comment 55•6 years ago
|
||
https://www.horizonblue.com is another site affected by this.
Comment 56•6 years ago
|
||
https://www.freedommobile.ca/ GeoTrust EV
Updated•6 years ago
|
Updated•6 years ago
|
Comment hidden (offtopic) |
Comment 58•6 years ago
|
||
https://www.labanquepostale.fr/ https://www.valdefrance.banquepopulaire.fr/
Comment 60•6 years ago
|
||
As per bug 1486041 https://yourfnbbank.com https://fnbsal.secure.fundsxpress.com
Comment 61•6 years ago
|
||
https://identity.idp.tableau.com/
Comment 62•6 years ago
|
||
https://blog.it.playstation.com/
Comment 63•6 years ago
|
||
https://www.miele.at/ (household appliances, Symantec cert) A more tricky one is https://hotspot.t-mobile.net/TD/hotspot/MUC_Airport/en_GB/index.html which is the entrance page to free wifi at MUC airport (apparently the domain is only reachable from their wifi hotspots. but I guess T-Mobile Germany / Deutsche Telekom is the operator)
Comment 65•6 years ago
|
||
https://mabanque.fortuneo.fr as per bug 1486222
Updated•6 years ago
|
Updated•6 years ago
|
Comment 66•6 years ago
|
||
https://www.arborday.org/ https://www.arbordayfarm.org/ https://www.liedlodge.org/ I messaged @arborday on Twitter, FWIW.
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox63:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
OS: Unspecified → All
Updated•6 years ago
|
Updated•6 years ago
|
Comment 68•6 years ago
|
||
https://www.oui.sncf/
Updated•6 years ago
|
Updated•6 years ago
|
Comment 69•6 years ago
|
||
Got it this morning. I cannot access to paypal when I wanted to buy an album on Bandcamp. I had to use Chromium instead :(
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 70•6 years ago
|
||
(In reply to Frederic Bezies from comment #69) > Got it this morning. I cannot access to paypal when I wanted to buy an album > on Bandcamp. I had to use Chromium instead :( as mentioned in comment 3 above > Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. > Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the > warnings presented when accessing about:config. alternatively you could use Firefox Beta or Developer Edition for the time being.
Comment 71•6 years ago
|
||
You can remove Com Bank from the list. I had a chat to them on Facebook and they have fixed the issue. Likely someone should reach out to orgs listed on this list and give them a gentle prod. Paypal and Ebay in particular. (I haven't needed to try Ebay but Paypal was out when I used it yesterday.)
Reporter | ||
Comment 72•6 years ago
|
||
(In reply to Yani from comment #71) > You can remove Com Bank from the list. I had a chat to them on Facebook and > they have fixed the issue. Likely someone should reach out to orgs listed on > this list and give them a gentle prod. Paypal and Ebay in particular. (I > haven't needed to try Ebay but Paypal was out when I used it yesterday.) Yani, Thank you for reaching out to the owner of a website, to let them know that they needed to update their SSL certs! All, seems like a great idea to me... If you can reach out to the owners of the websites that you use, they might fix their webserver certs quickly. I suppose it is possible that owners of the smaller websites may not be aware that their sites are starting to break due to the planned distrust of the old Symantec roots.
Comment 73•6 years ago
|
||
I've reached out to a few: ovh: No response virgin money: They forwarded my request to another dept, no response since nationwide: They said they have updates coming soon but didn't specify a date odeon: Couldn't find an email to send to. paypal: Got forwarded to another dept, no response since. myvue: No response It maybe the cynic in me but I'd bet that a large portion of the sites listed here will only replace their certs either just before this hits the stable channels (in chrome or firefox whichever comes first) or will panic once they get inundated by people complaining after it hits stable. I also think this has already hit safari, my wife has an iPhone and myvue.com throws a security warning for her.
Comment 74•6 years ago
|
||
https://suchen.mobile.de/ is affected as well
Comment 75•6 years ago
|
||
https://bazonline.ch/ affected
Comment 76•6 years ago
|
||
https://www.agcom.it/ AGCOM is the italian communication authority. No response from their webmasters so far.
Comment 77•6 years ago
|
||
https://online.pcmastercard.ca
Comment 78•6 years ago
|
||
https://www.bundesliga.com
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 80•6 years ago
|
||
(In reply to Florent from comment #68) > https://www.oui.sncf/ I pinged Oui.SNCF on twitter about this and via a few internal contacts I have. Wait'n see
Comment 82•6 years ago
|
||
https://banking.capitalone.com/
Comment 83•6 years ago
|
||
German ISPs https://www.netaachen.de/ https://account.1und1.de/ https://hilfe-center.1und1.de/ I tried to contact both of them. (We'll see, if they'll answer)
Comment 84•6 years ago
|
||
https://www.netcologne.de/ Some German cities: https://www.bocholt.de/ https://www.borken.de/ https://www.muenster.de/ German public transport https://www.vrr.de/ https://www.puenktlichkeitsversprechen.de
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 85•6 years ago
|
||
Don't know if they're listed but you can add: https://www.pole-emploi.fr/accueil/ -> french employement services https://www.cdiscount.com/ -> french Amazon like online shopping
Comment 86•6 years ago
|
||
(In reply to Frederic Bezies from comment #85) > Don't know if they're listed but you can add: > > https://www.pole-emploi.fr/accueil/ -> french employement services > https://www.cdiscount.com/ -> french Amazon like online shopping I contacted pole-emploi one week ago by email, the change is planned.
Comment 88•6 years ago
|
||
(In reply to Guillaume Démésy [:magsout] from comment #86) > (In reply to Frederic Bezies from comment #85) > > Don't know if they're listed but you can add: > > > > https://www.pole-emploi.fr/accueil/ -> french employement services > > https://www.cdiscount.com/ -> french Amazon like online shopping > > I contacted pole-emploi one week ago by email, the change is planned. Thanks for the info. Looks like a lot of sites are broken... When Mozilla Firefox 63 will be released, there is going to be a lot of shouting...
Comment 89•6 years ago
|
||
(In reply to Frederic Bezies from comment #88) > Thanks for the info. Looks like a lot of sites are broken... When Mozilla > Firefox 63 will be released, there is going to be a lot of shouting... Maybe, esp. because those site will break in Chrome release just about at the same time: "Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued." https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html So at least the shouting will not be about Mozilla/Firefox only, I hope, as AFAIK all major browser vendors will distrust Symantec at about the same time (Chrome Canary has the same "issues" as Firefox Nightly with this right now, from what I hear).
Updated•6 years ago
|
Comment 90•6 years ago
|
||
Also reproducible on the Help section of https://www.scottishpower.co.uk/
Comment 91•6 years ago
|
||
(In reply to Gingerbread Man from comment #65) > https://mabanque.fortuneo.fr as per bug 1486222 Fortuneo acknowledged the issue and replied on twitter that SSL certificates update are planned soon : https://twitter.com/fortuneo/status/1034708546364076032 (In reply to Florent from comment #80) > (In reply to Florent from comment #68) > > https://www.oui.sncf/ > > I pinged Oui.SNCF on twitter about this and via a few internal contacts I > have. > > Wait'n see I also had feedback from Oui.SNCF. They are aware of the issue and an update with certificates issued by COMODO is planned in septembre.
Comment 92•6 years ago
|
||
Add https://www.leekunited.co.uk to the list. I've pinged them an email.
Comment 93•6 years ago
|
||
https://cnnindonesia.com (CNN Indonesia, the global CNN site uses GlobalSign certificate)
Comment 94•6 years ago
|
||
https://kemdikbud.go.id (Indonesia's Ministry of Education website)
Comment 96•6 years ago
|
||
https://globe.akamai.com/
Updated•6 years ago
|
Comment 97•6 years ago
|
||
(In reply to rowan from comment #14) > Add https://secure.osp.ovh.com/ to the list. I contacted them by Twitter https://mobile.twitter.com/magsout/status/1031426967558647808
Comment hidden (offtopic) |
Comment 99•6 years ago
|
||
https://myservices.brighthouse.com/ is another one.
Comment 100•6 years ago
|
||
https://nettbank.handelsbanken.no/authenticate/login/selectauth?configKey=sb9055 (online banking) https://insideflyer.no/
Comment 102•6 years ago
|
||
https://www.etsy.com/
Comment 103•6 years ago
|
||
https://www.gumtree.com/
Comment 104•6 years ago
|
||
https://menhdv.com/tags/Threesome/ https://pulsar.ebay.com.au/plsr/clk/0/SADS/9?pld=%7B%22mecs%22%3A%2211305851525642747b238df84ed7b58ec1f7cde61c94%22%2C%22enc%22%3A%22AQADAAACsCyfX2LaVug085QT2kERMzuAjvCNBeqXHug5pDuQtpH9aukNr481H8AB5%2Bblbkw7ogHRs89lRKXvISICPeYY8YTR1rz%2BhbJd3KD1oH%2BXjBrZ%2B3zBIHOynX0pan5LqVS%2BT1%2FvQXPrKTxcYizv%2F%2FhTd%2BSO8Dx2eM5%2B7cViLR%2FQk0C%2FzB%2BShI90tBWa7GIReJ7rckkH3JoAXunh3Z44tvu8TUNqKLlPJwvMsIo1YLoTDxHt2yiVUhF3DTFLzPETlor0leEAglB81HC%2BxrmOTGxp0K8sbwEp8Rhg6qC0%2F3f99m%2B14f1y5C940fzfSor7HbQaV39SWRFgQ8PisuDNdInDhnfS35U19IROKmkIeIsFRgWJc83GfKWDdlzszdDDVvAroXExGVl0uhq2oTdMQ4ow3ArwasKBcN7anuiuNCAtaJ7UQOe2WOnD2HJ8K4lBOeZvp5qEp1%2FyBt56zeVablt%2BX00jVaPCC2t%2BCwNeNENIdtYeywim5xW2OkxL0CVaXB16IaeVjPltZPZVfsZaDkUQW2Aj6FoSVOIwGr91S0feVLtSkXmeTiogSBFDqYHNYXezGAsLdH7qFavrJVuPjL3wIWuSauKIhTfVbSJVNv2ZvqFZ5KmOABfBKIxwd%2BVr0sCpHysod4MdQAMzR70jMFdUd3mhs1bB4caoPtJnzKtYP4BKOCvwynDlUvwB8DcjTQGtL954Y1CJwNlxq91uGVP2%2BaIAB2l5CLaAze5e%2F6xbyjvC0Gq93Vq8aEspqzK999XhTuV0RutfdWJ%2FPlSKXotMhZ8uKp3t3ztmXvq7fRFDmXU1Za9Q6jeVM85tDcBvJWCzUCCRnfYlh35bnMuXikziHQHwJJptevzkvVAAKtvcmZUTA%2FeCPeo9vLiC6V30j0P1bB2Sm8BNPYgiZ527At3vpVg%3D%22%7D https://pay.ebay.com.au/xo?action=create&rypsvc=true&pagename=ryp
Comment 105•6 years ago
|
||
I do not receive a certificate notice anymore on https://login.frontier.com/webmail on Windows computer but I still get a warning with my Macbook Pro computer when accessing https://login.frontier.com/webmail. Just an FYI. Have cleared cookies and history.
Comment 106•6 years ago
|
||
(In reply to Gingerbread Man from comment #60) > As per bug 1486041 > https://yourfnbbank.com > https://fnbsal.secure.fundsxpress.com certs have been updated on the aforementioned sites. Working now under version 63.0a1 "nightly".
Comment 107•6 years ago
|
||
https://login.openathens.net - I've emailed their support.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 109•6 years ago
|
||
Also affected: subpages of one of Germany's larger newspaper FAZ (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, https://abo.faz.net/ and https://einspruch.faz.net
Comment 110•6 years ago
|
||
Further to comment 6, https://www.iso10383.org/ is no longer affected. I can also no longer find any affected links run by SWIFT from the list at https://viewdns.info/reversewhois/?q=S.W.I.F.T.+SCRL (known: lots of these do not point at a website or just redirect to https://www.swift.com ).
Comment 111•6 years ago
|
||
https://www.equabank.cz/ uses Thawte SSL (Symantec group) is also affected.
Comment 112•6 years ago
|
||
(In reply to Tobias Burnus from comment #109) > Also affected: subpages of one of Germany's larger newspaper FAZ > (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, > https://abo.faz.net/ and https://einspruch.faz.net I sent an email to info@faz.net.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 113•6 years ago
|
||
Another one: https://webmail.free.fr/ = webmail interface from a French ISP.
Updated•6 years ago
|
Comment 114•6 years ago
|
||
https://kakaocorp.com Kakao, a South Korean tech company (AFAIK it is still using Thawte)
Comment 115•6 years ago
|
||
https://www.nationwide.co.uk is now fixed.
Comment 116•6 years ago
|
||
(In reply to Kathleen Wilson from comment #1) > I have closed Bug #1436062, since it was in regards to the previous phase of > the distrust of the old Symantec roots. Haven't made it through all of them, but some > Here's a list of the sites that were reported in that bug, but are in > regards to the current phase. > These work for me => seem fixed: > https://www.orange.fr/ > https://www.hsbc.fr > https://my.ebay.co.uk/ > https://www.johnlewis.com/ > https://www.o2.co.uk/ I have sent emails to these: > https://www.pcworld.co.uk/ > https://www.currys.co.uk/ > https://home.bt.com/ > https://oyster.tfl.gov.uk/ and this one is a "Bad Cert Domain" rather than Symantec: > https://www.southwesttrains.co.uk/ These ones are still broken and need to be contacted: > odeon.co.uk > cineworld.co.uk > myvue.com > https://www.mcdonalds.com > https://www.addisonlee.com/ > https://uk.lush.com/ > https://www.free.fr/ > https://www.republicservices.com/ > bofa online banking billpay page
Comment 117•6 years ago
|
||
https://jakarta.go.id (Official website of Government of Jakarta, Indonesia)
Comment 118•6 years ago
|
||
https://www.ticketpro.cz/jnp/home/index.html also does not work.
Comment 119•6 years ago
|
||
https://online.virginmoney.com/ is now fixed.
Comment 120•6 years ago
|
||
https://www.southwesttrains.co.uk/ Local knowledge: This company essentially no longer exists. The ludicrous muddle of "privatising" a natural monopoly in the form of Britain's railways means companies like South West Trains run "franchises" which run for some period of time, and they can be outbid when renewing the franchise. The exact same trains, with the same employees, running the same services, but with new paint or in some cases stickers, are now South Western Railway as opposed to South West Trains, a legally different company and different beneficial owners. So even if South West Trains legally does still operate that site, or it's being operated by South Western Railway instead after the transition, it is unlikely they'll fix it. Fortunately passengers were at the wrong site anyway, when they Google they'll end up at SWR. In a sense the blame, as usual, lies with the ideologues who made this mess necessary.
Comment 121•6 years ago
|
||
https://hoyts.co.nz One of the larger cinema chains in New Zealand
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 122•6 years ago
|
||
https://tools.cisco.com
Comment 123•6 years ago
|
||
https://hoyts.com.au/ - raised a ticket (317009), also included https://hoyts.co.nz
Updated•6 years ago
|
Comment 124•6 years ago
|
||
https://webpayments.billmatrix.com is broken as well. It is a web payment portal.
Comment 125•6 years ago
|
||
https://toolbox3.iinet.net.au/login
Comment 126•6 years ago
|
||
https://c.xkcd.com/ which is used for xkcd's random function. I've sent an email about it.
Comment 127•6 years ago
|
||
(In reply to Bob from comment #125) > https://toolbox3.iinet.net.au/login i've reached out to iinet.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 128•6 years ago
|
||
Contacted jakarta.go.id site author via Twitter: https://twitter.com/ReinPre10/status/1038085227573272578?s=19
Comment 129•6 years ago
|
||
Transport for London TechForum post added: https://techforum.tfl.gov.uk/t/symantec-ssl-tls-certificate-distrust/671/
Comment 130•6 years ago
|
||
https://bankmandiri.co.id (Mandiri Bank, Indonesia)
Comment 131•6 years ago
|
||
https://camphack.nap-camp.com/
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18652
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 132•6 years ago
|
||
Am I supposed to report unaccessible domains here? I've found two Chinese sites: https://passport.biligame.com owned by the video site bilibili *.b0.upaiyun.com, owned by the CDN provider upyun, used for customer's resources, e.g. https://lilyimg.b0.upaiyun.com/blog/prctl-subreap/htop-awesome-tree.png
Comment 133•6 years ago
|
||
> Am I supposed to report unaccessible domains here?
If it's bringing up the security warning like this one does then yep!
Updated•6 years ago
|
Updated•6 years ago
|
Comment 134•6 years ago
|
||
Response from London's TFL "We are aware".. "attempted to update the certs to a new provider last week but there were issues that we had to request re-issue of the cert.".. "to attempt this again this week and we should be able to get the new certificate before the Firefox and Chrome updates come in to place for non-beta users." https://techforum.tfl.gov.uk/t/symantec-ssl-tls-certificate-distrust/671/3
Comment 135•6 years ago
|
||
https://www.img-bahn.de (CDN server for the website bahn.de) From https://github.com/webcompat/web-bugs/issues/18729
Updated•6 years ago
|
Comment 136•6 years ago
|
||
https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone here that has twitter would be willing to notify them I'd appreciate it.
Comment 137•6 years ago
|
||
(In reply to rowan from comment #136) > https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do > have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone > here that has twitter would be willing to notify them I'd appreciate it. Sent an email to nhsbsa.dataprotection@nhs.net cc'ing nhsbsa.communicationsteam@nhs.net. Hope they will forward to the right team(s).
Comment 138•6 years ago
|
||
https://www.sendmail.org/ I've emailed them. Thanks Albert for sorting the NHS!
Comment 139•6 years ago
|
||
FWIW, PayPal is fixed, they have DigiCert now.
Comment 140•6 years ago
|
||
London TFL has been fixed via DigiCert expiring 2020.
Comment 141•6 years ago
|
||
https://secure.goldpoint.co.jp/ sent a request to update their cert via the contact form.
Updated•6 years ago
|
Comment 142•6 years ago
|
||
https://secure.webdirections.org/ -> I sent an email
Comment 143•6 years ago
|
||
https://permatabank.com
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 144•6 years ago
|
||
https://mobile.free.fr/moncompte/ -> French mobile phone provider account login page.
Comment 145•6 years ago
|
||
bankmandiri.co.id has already changed their certificate to DigiCert.
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18900
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18901
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18913
Updated•6 years ago
|
Updated•6 years ago
|
Comment 146•6 years ago
|
||
https://accounts.velocityfrequentflyer.com/auth/realms/velocity/protocol/openid-connect/auth?prompt=none&response_type=code&client_id=va-website&redirect_uri=https%3A%2F%2Fwww.virginaustralia.com%2Fau%2Fen%2F?cmpid%3Dsem_Brand_VABrandExact_Brand%2BVirgin%2BGeneric%2B%28Exact%29_virgin%2Bbookings%26gclid%3DCIOjst3QlccCFcMHvAodFMIF6g
Updated•6 years ago
|
Comment 147•6 years ago
|
||
sendmail.org said they'll replace it by October
Comment 148•6 years ago
|
||
actcorp.in via Reddit post https://www.reddit.com/r/firefox/comments/9i6uim/this_website_doesnt_seen_to_open_only_in_firefox/
Comment 149•6 years ago
|
||
https://www.marketforces.org.au/ -> contacted via email --- https://secure.webdirections.org/ -> They will change it shortly
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18969
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/18995
Comment 150•6 years ago
|
||
I am still receiving warnings when accessing https://login.frontier.com/webmail FF just upgraded to 64.0a1
Comment 151•6 years ago
|
||
(In reply to dougskis@frontier.com from comment #150) > I am still receiving warnings when accessing > https://login.frontier.com/webmail > FF just upgraded to 64.0a1 I assume they're your ISP? If so probably best you email/phone them they're more likely to respond to a customer than anyone else randomly emailing them.
Comment 152•6 years ago
|
||
I contacted Frontier tech support, was told that their certificate does not expire until next year and to use a different browser to access my frontier.com email.
Comment 153•6 years ago
|
||
lol I'll send them one as well, trying to explain it more.
Comment 154•6 years ago
|
||
(In reply to rowan from comment #151) > I assume they're your ISP? If so probably best you email/phone them they're > more likely to respond to a customer than anyone else randomly emailing them. oh, you're right. Dougskis you could answer them again, if you're up for it In that case: dougskis, have you sent them these links, that explain it? https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/ https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/ In any case: It's not just two Browsers, it's literally all of them, except Microsoft who will distrust in early 2019 (couldn't find any date) And the upgrade to digicert is for free. A few more links: https://support.apple.com/en-us/HT208860 https://knowledge.digicert.com/alerts/ALERT2562.html I'm a bit confused by this link right now: https://knowledge.digicert.com/alerts/ALERT2530.html It says certificates issued after 12.01.2018 are distrusted by Chrome and Safari right now. The frontier certificate is from 19.01.2018 but is still being trusted by Chrome Release (haven't tested safari).
Comment 155•6 years ago
|
||
I do not have any problems with Google Chrome getting a certificate error accessing my webmail. I am not going to pursue it any further with Frontier,they must not be getting that many complaints. Cable is finally running down street and will discontinue service with Frontier as fastest internet speeds I can get now is 3 mbps. I do get a certificate error with Safari with my Macbook computer. I use FF with it also. I just like FF.
Updated•6 years ago
|
Comment 156•6 years ago
|
||
(In reply to comment #109) > Also affected: subpages of one of Germany's larger newspaper FAZ > (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, > https://abo.faz.net/ and https://einspruch.faz.net Hmm, only 50% fixed – epaper.faz.net & einspruch.faz.net are still affected; I did write them, Albert (comment 112) did, but still not a full success. Let's try again :-( charts.reuters.com (used by www.reuters.com) is also affected; I wrote them yesterday – let's see whether it will help.
Comment 157•6 years ago
|
||
https://www.pernsteiner.net/ => sent an email
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/19195
Comment 158•6 years ago
|
||
https://www.rs-online.com/ if I remember in the morning I'll ping them an email
Comment 159•6 years ago
|
||
(In reply to rowan from comment #158) > https://www.rs-online.com/ if I remember in the morning I'll ping them an > email I remembered and emailed them.
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/19231
Comment 160•6 years ago
|
||
https://www.simplyscience.ch I contacted them just now.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 161•6 years ago
|
||
https://0eaf.cardinalcommerce.com/ same as https://1eaf.cardinalcommerce.com/ I've emailed them.
Comment 162•6 years ago
|
||
cardinalcommerce.com are planning to update the certificate tomorrow https://cardinalcommercecorporation.statuspage.io/incidents/268536hn4zzm
Comment 163•6 years ago
|
||
https://events.lawsociety.org.uk/
Comment 164•6 years ago
|
||
https://www.cas-education.de/ I send them an e-mail.
Comment 165•6 years ago
|
||
https://legendshobbies.com/legendsnew/
See Also: → https://webcompat.com/issues/12110
Comment 166•6 years ago
|
||
https://sacramento.aero I've emailed them.
Comment 167•6 years ago
|
||
bankmandiri.co.id has already switched to DigiCert
Updated•6 years ago
|
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/19973
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/19981
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 168•6 years ago
|
||
https://moneysavingwallet.com.com/ as per bug 1444426
Comment 169•6 years ago
|
||
https://login.xunlei.com https://login2.xunlei.com https://login3.xunlei.com Login page of a popular Chinese website.
Comment 170•6 years ago
|
||
I’ve contacted Ihttps://www.foyles.co.uk/.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 171•6 years ago
|
||
https://www.suedtirolnews.it/ doesn't work (written an email but no reply) epaper.faz.net and epaper.faz.net are still affected despite emails. [Side note: one of my Chrome 70 has started rejecting Symantec certificates.]
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/20553
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/20707
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment hidden (spam) |
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/21211
Updated•6 years ago
|
See Also: → https://webcompat.com/issues/21135
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 173•5 years ago
|
||
http://livedrawsgp.biz doesn't work (written an email but no reply)
epaper.faz.net and epaper.faz.net are still affected despite emails.
[Side note: one of my Chrome 70 has started rejecting Symantec certificates.]
Comment 174•5 years ago
|
||
I've found a new one: https://epay.12306.cn/ this is the payment gateway for buying railway tickets in mainland China.
Updated•5 years ago
|
Summary: Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement → [meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement
Assignee | ||
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
Comment hidden (spam) |
Comment 176•5 years ago
|
||
Almost all sites already migrated from Symantec, can no longer connect, or have an expired cert. There is no point in leaving this bug open.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment 183•3 years ago
|
||
For whatever reason this bug seems to attract spam, so I'm going to restrict comments to attempt to help with that.
Restrict Comments: true
You need to log in
before you can comment on or make changes to this bug.
Description
•