1007646 - Inline, remote images showing as broken in thunderbird. Fine everywhere else (involving https, "secure connection failed")(Fails silently on windows)

Status: NEW

(Thunderbird :: Security, defect)

Description

[jimmywat]

Attachment: Screen Shot 2014-05-08 at 14.16.36.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140314220517

Steps to reproduce:


Load an email from certain people thinkingbob.co.uk as the example - click Show Remote Content. All images are still displayed as broken boxes with Alt Text. Opens fine on, iMail, Google and on my phone plus when I c&p the link of the image of the inline content into my browser it pops up fine. 

All other browsers seem to be fine. 

I can post source & .eml file if users wish


Actual results:

(As above really)


Expected results:

Images should be displayed inline as I asked.

Comment 1

[Joe Sabash [:JoeS1]]

Please compare the final location of the image that displays in the browser against the location specified in the email. (Ctrl+u to view message source) If they are different the server re-directed the image source. Thunderbird does not honer re-directs. I guess it's debatable if that's correct behavior or not.

Comment 2

[jimmywat]

The URL of the image in source (eg below)  is the exact one that loads in the browser. What seems unusual is the presence of alt=3D, style=3D etc - I have not come across the use of these - could that be breaking the links?


<img alt=3D"thinking bob" src=3D"https://www.thinkingbob.co.uk/wp-cont=
ent/uploads/2013/10/LinkedIn_1.png" style=3D"width: 540px; height: 184px;" =
/>


OK..... On copy and pasting that  last link I have realised something.....


On the source it is being split at the end of every line by a = if it's overflowing the usual width...

Is that normal? 

To answer the last question, however if you insert:
"https://www.thinkingbob.co.uk/wp-content/uploads/2013/10/LinkedIn_1.png"

Into your browser - the path is identical

Comment 3

[Joe Sabash [:JoeS1]]

OK the image opens fine for me in Firefox, but TB seems to think it's an unsecure site
Secure connection failed

www.thinkingbob.co.uk uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

    This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.
    If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.

I'll have time later to investigate further, if this is TB's problem or not.

Comment 4

[Thomas D. (:thomas8)]

Joe, evaluation of the security of connections / certificates should be same for FF and TB, or not?
Does this also fail on TB Trunk?

Comment 5

[jimmywat]

Yeah firefox loads fine, with no security warnings to speak of. The padlock on the site also states:

"Verified by StartCOM."

"The connection to this web site is secure.... "

Further to that on clicking more details it also says:
"Connection Encrypted: High Grade Encryption (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys)"

Is there an error log anywhere in TB for me to check details of the problem?

Have tried restarting with add ons disabled as previously Stationary played havock with one of the releases... I cannot remember if this has happened since an update - know I updated Firefox recently cannot remember about TB.

Comment 6

[Joe Sabash [:JoeS1]]

(In reply to Thomas D. from comment #4)
> Joe, evaluation of the security of connections / certificates should be same
> for FF and TB, or not?
> Does this also fail on TB Trunk?

Yes it also fails on TB trunk
But I think this might be intentional behavior.
The thinking being that certs should be "more complete" in mail correspondence
The fact that ownership information is missing on the cert in question could be important, in let's say banking email.

I'm looking at the ability to add an exception (whitelisting) which doesn't seem to be working in current trunk.

Comment 7

[Joe Sabash [:JoeS1]]

(In reply to jimmywat from comment #5)
> Yeah firefox loads fine, with no security warnings to speak of. The padlock
> on the site also states:
> 
> "Verified by StartCOM."
> 
> "The connection to this web site is secure.... "
> 
> Further to that on clicking more details it also says:
> "Connection Encrypted: High Grade Encryption
> (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys)"
> 
> Is there an error log anywhere in TB for me to check details of the problem?
> 
> Have tried restarting with add ons disabled as previously Stationary played
> havock with one of the releases... I cannot remember if this has happened
> since an update - know I updated Firefox recently cannot remember about TB.

You can add an exception by server to your security policy if you wish.
Tools>>Options>>Advanced>>Certificates
From error console:
Timestamp: 5/17/2014 9:30:21 AM
Error: www.thinkingbob.co.uk:443 uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

Adding https://www.thinkingbob.co.uk:443  seems to allow images.
That port number seems to be required (that evaded me for a time)

So, I think the real bug here is the lack of a notification(outside of the hidden error console)

Comment 8

[Joe Sabash [:JoeS1]]

Marking as new for lack of an error notification

Comment 9

[jimmywat]

The issues with that particular site seem to be resolved... As a comparison between the two SSL reports it might be useful to know that it seems to have been missing Intermediary certificates so the certificate was valid but the issuer certificate wasn't provided. This might be useful if tracing back some error - also would probably be quite a rare occurrence.

Also as a little point the original post was from a Mac so would be (fails silently on both windows and mac)