758485 - Expired certificate error message should use a relative time instead of showing the current time

Status: UNCONFIRMED

(Firefox :: Security, enhancement, P5)

Description

[Jared Wein [:jaws] (please needinfo? me)]

When viewing https://johnath.com, I see the following error text under Technical Details:

The certificate expired on 10/26/2002 12:14 PM. The current time is 5/24/2012 7:02 PM.

Including the current time here doesn't seem to add much value. It seems to me that most people would be interested in the time delta between when it expired and the current time.

I think the text should be:
The certificate expired on 10/26/2002 12:14 PM, which is about 10 years ago.

Comment 1

[Johnathan Nightingale [:johnath]]

IIRC, Kai originally added the timestamp because we were getting a significant number of bugs/confused users with badly-wrong internal clocks, causing legitimate certs to fail expiry tests - he hoped that having the current time in there would draw their attention, and get them to fix their clocks (an indirect hope, to be sure!)

Changing that to a delta is definitely more readable, but I wonder if it will lead users to the same realization?

Comment 2

[Jared Wein [:jaws] (please needinfo? me)]

Oh ok, yeah that makes sense. I figured it had to do with something like that.

If that is the goal of this text, would it be possible to (at least on Windows) check with time.windows.com to see how much clock skew is present? Then we would be able to give a more definitive "this certificate is expired because your system clock is wrong"-type message.

Comment 3

[Wim Lewis]

(In reply to (Limited avail. until June 16)  Jared Wein [:jaws] (please needinfo? me) from comment #2)

Related: Bug 712612 - When complaining about bad certificate dates (expired etc.), tell user if their clock is wrong