ssl errors should not prompt users to "report web forgery"

RESOLVED FIXED in mozilla32

Status

defect
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: mmc, Assigned: mmc)

Tracking

Trunk
mozilla32
x86_64
Linux
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 2 obsolete attachments)

Posted image ssl-error.png
It seems that every ssl error has the following two bullets:

* The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
* Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

The command found in the help menu is "Report Web Forgery", which leads to the Safebrowsing phish report page:

http://www.google.com/safebrowsing/report_phish/?tpl=mozilla&hl=en-US&url=https%3A%2F%2Fcloudflarechallenge.com%2F

This probably results in a ton of garbage phishing reports from Firefox to Google.
Assignee: nobody → mmc
Status: NEW → ASSIGNED
Attachment #8426622 - Flags: review?(margaret.leibovic)
Comment on attachment 8426622 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426622 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, you just need to update the patch to rev the entity names.

::: mobile/locales/en-US/overrides/netError.dtd
@@ -124,5 @@
>  </ul>
>  ">
>  
>  <!ENTITY nssFailure2.title "Secure Connection Failed">
>  <!ENTITY nssFailure2.longDesc "

You'll need to update the entity names, so that localizers will know to update thess strings. Something like nssFailure2.longDesc2 would suffice (that's why some of the other entity names have numbers at the end like this :).

@@ -127,5 @@
>  <!ENTITY nssFailure2.title "Secure Connection Failed">
>  <!ENTITY nssFailure2.longDesc "
>  <ul>
>    <li>The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.</li>
> -  <li>Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.</li>

This is a good fix for Fennec, because we don't even have a help menu!
Attachment #8426622 - Flags: review?(margaret.leibovic) → feedback+
Attachment #8426622 - Attachment is obsolete: true
Comment on attachment 8426698 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426698 [details] [diff] [review]:
-----------------------------------------------------------------

I think I got them all...

http://mxr.mozilla.org/mozilla-central/search?string=nssFailure2
Attachment #8426698 - Flags: review?(margaret.leibovic)
Comment on attachment 8426698 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426698 [details] [diff] [review]:
-----------------------------------------------------------------

missed one
Attachment #8426698 - Flags: review?(margaret.leibovic)
Attachment #8426698 - Attachment is obsolete: true
Comment on attachment 8426702 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426702 [details] [diff] [review]:
-----------------------------------------------------------------

One of the strings did not change, but I updated the name anyway because I'm not sure which xhtml reference which dtds.
Attachment #8426702 - Flags: review?(margaret.leibovic)
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #8)
> Comment on attachment 8426702 [details] [diff] [review]
> Do not direct every ssl error to 'Report Web Forgery' (
> 
> Review of attachment 8426702 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> One of the strings did not change, but I updated the name anyway because I'm
> not sure which xhtml reference which dtds.

It's good to update all of them because the browser/mobile .dtd files override the dom .dtd file, so the same xhtml file could be pulling from either one depending on which product is being used.

This netError stuff is confusing :/
FWIW that text is a reference to the feature we removed in bug 572695.
Comment on attachment 8426702 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426702 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.
Attachment #8426702 - Flags: review?(margaret.leibovic) → review+
(In reply to :Gavin Sharp (email gavin@gavinsharp.com) from comment #10)
> FWIW that text is a reference to the feature we removed in bug 572695.

I wrote that patch on my first day of full-time work at Mozilla!
https://hg.mozilla.org/mozilla-central/rev/184d497bd84a
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Duplicate of this bug: 613175

Updated

4 years ago
Duplicate of this bug: 995705

Updated

4 years ago
Duplicate of this bug: 913993

Updated

4 years ago
Duplicate of this bug: 663679

Updated

4 years ago
Duplicate of this bug: 751282

Updated

4 years ago
Duplicate of this bug: 642510

Updated

4 years ago
Duplicate of this bug: 966223
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.