960447 - No option to show certificate fingerprint

Status: RESOLVED INCOMPLETE

(Firefox for Android Graveyard :: General, defect)

Description

[rom]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131030 Firefox/17.0 Iceweasel/17.0.10 (Nightly/Aurora)
Build ID: 20131030041028

Steps to reproduce:

When I go to my self-hosted website with a self-hosted certificate, I got a page "security warning… add a permanent exception", as expectd.

But while on Firefox desktop, I can check the fingerprint before clicking on "add a permanent exception", on Firefox Android, there is no fingerprint displayed, so I can't know at all if I can trust it at all (to avoid MITM during the first connection).


Actual results:

No fingerprint is displayed anywhere.


Expected results:

It should show a fingerprint to be sure this is the right certificate.

Comment 1

[bgzl]

I would complete this bug/request : Firefox Android should show every information common information of the certificate, including the certification chain. Users may have self-signed certificates, but they an also have their personal certificate authority.

Comment 2

[kolAflash]

I think it should be possible to show the HTTPS SSL certificate always when an HTTPS URL is opened. Not just when there's the need to add an exception.

Even the stupid standard Android stock browser gives the possibility, to tap on the website icon on the upper left and show the certificate informations (including fingerprint) always when an HTTPS URL is opened. (tested on Android 4.4)
At least this should be possible on Firefox-for-Android too!

Additionally there should be a possibility to remove certificate-exceptions afterwards. See bug #795767 for details.

Comment 4

[u521611]

I think, this is an important bug. Are there any news?

Comment 6

[Chuck]

I believe the visibility of SSL certificate information is more important on mobile devices and needs to be included as a display option to provide the user the ability to validate that information prior to visiting the site or adding an exception.

Comment 7

[u534134]

(In reply to Chuck from comment #6)
> I believe the visibility of SSL certificate information is more important on
> mobile devices and needs to be included as a display option to provide the
> user the ability to validate that information prior to visiting the site or
> adding an exception.

This is so true. Also Google say Mobile is more used than Desktop for surfing the web. Mobile will be more attacked by hacker and phishing and all information about SSL should be showed not hidden as in Firefox for Mobile. This is very important to fix, implement asap.

Comment 8

[u534134]

Today seems a security issue report will be not fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1332714
and in Firefox mobile still be not possibile check the certificate of a website... this is another security issue not fixed yet and reported 3 years ago... still be unassigned and unfixed...

Comment 9

[Kevin Brosnan [Ex-Mozilla]]

This can now be viewed in 62+ using https://addons.mozilla.org/en-US/firefox/addon/certainly-something/

Comment 11

[u534134]

The plugin is no more working on the last Firefox mobile for Android! And now?

Comment 12

[u534134]

Attachment: Screenshot_2019-05-05-04-49-27-275_org.mozilla.firefox.png

Comment 13

[Kevin Brosnan [Ex-Mozilla]]

This is the all addons are broken bug which affects Firefox for Android as well. It will get a fix asap.

Comment 14

[u534134]

The new version 66 doesn't fix the issue, the extension is installed, i added again but is not working.

Comment 15

[Pascal Ernster]

(In reply to Marco from comment #14)

The new version 66 doesn't fix the issue, the extension is installed, i added again but is not working.

Can't reproduce, the addon works flawlessly for me on Firefox 66.0.4.

Comment 16

[u534134]

Firefox 66.0.4 Android 9 Pie. I installed, unistalled, deactivated and reactivate the extension.
Loaded an https page and cannot see the button on the address bar for check info about certificate.

Good idea to deliver security of browsing to an add-on that is also not working.. grrr..
Is not working for me i don't know what else step i have to try to fix the issue.

Comment 17

[Pascal Ernster]

(In reply to Marco from comment #16)

Firefox 66.0.4 Android 9 Pie.

Sorry, I had overlooked the fact that this bug is about Firefox on Android. I can reproduce your bug report with Firefox 66.0.4 on Android 8.1.

Comment 18

[u534134]

(In reply to Pascal Ernster from comment #17)

(In reply to Marco from comment #16)

Firefox 66.0.4 Android 9 Pie.

Sorry, I had overlooked the fact that this bug is about Firefox on Android. I can reproduce your bug report with Firefox 66.0.4 on Android 8.1.

On Desktop Firefox have all the tools necessary for check certificate security. Is on Android that Firefox is not secure on this way... without an extension that is not working since more than a week maybe. Still not working.

Comment 19

[Pascal Ernster]

Seems the bug was introduced with version 1.2.0 of the addon - with version 1.1.2, the button appears as expected in the URL bar:

https://addons.mozilla.org/firefox/downloads/file/1210752/certainly_something_certificate_viewer-1.1.2-an+fx.xpi

Here you can try other versions:

https://addons.mozilla.org/en-US/firefox/addon/certainly-something/versions/

Comment 20

[u534134]

(In reply to Pascal Ernster from comment #19)

Seems the bug was introduced with version 1.2.0 of the addon - with version 1.1.2, the button appears as expected in the URL bar:

https://addons.mozilla.org/firefox/downloads/file/1210752/certainly_something_certificate_viewer-1.1.2-an+fx.xpi

Here you can try other versions:

https://addons.mozilla.org/en-US/firefox/addon/certainly-something/versions/

Correct, thanks.
https://github.com/april/certainly-something/issues/58

Comment 21

[James B]

This is a massive security issue and it doesn't even have a priority assigned?!? Since the new version of FF for Android, it's not even possible to fix this with an extension like Kevin suggested above.

Viewing the details of a site's certificate is critical to informed browsing. I just got an email purporting to be from a company that I know, with a link to "company.me" instead of "company.com". The site has a cert, and Firefox will tell me who signed it, but anybody can get a cert - you have to look at who owns it, which apparently I can't do in Firefox. This is huge.

Comment 22

[Kevin Brosnan [Ex-Mozilla]]

This is not tracked in bugzilla any more. Please see https://github.com/mozilla-mobile/fenix/issues/8400 for info about installing certainly something in Fenix.