Closed Bug 1014282 Opened 10 years ago Closed 10 years ago

ssl errors should not prompt users to "report web forgery"

Categories

(Core Graveyard :: Security: UI, defect)

x86_64
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
mozilla32

People

(Reporter: mmc, Assigned: mmc)

References

Details

Attachments

(2 files, 2 obsolete files)

Attached image ssl-error.png
It seems that every ssl error has the following two bullets:

* The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
* Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

The command found in the help menu is "Report Web Forgery", which leads to the Safebrowsing phish report page:

http://www.google.com/safebrowsing/report_phish/?tpl=mozilla&hl=en-US&url=https%3A%2F%2Fcloudflarechallenge.com%2F

This probably results in a ton of garbage phishing reports from Firefox to Google.
Assignee: nobody → mmc
Status: NEW → ASSIGNED
Attachment #8426622 - Flags: review?(margaret.leibovic)
Comment on attachment 8426622 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426622 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, you just need to update the patch to rev the entity names.

::: mobile/locales/en-US/overrides/netError.dtd
@@ -124,5 @@
>  </ul>
>  ">
>  
>  <!ENTITY nssFailure2.title "Secure Connection Failed">
>  <!ENTITY nssFailure2.longDesc "

You'll need to update the entity names, so that localizers will know to update thess strings. Something like nssFailure2.longDesc2 would suffice (that's why some of the other entity names have numbers at the end like this :).

@@ -127,5 @@
>  <!ENTITY nssFailure2.title "Secure Connection Failed">
>  <!ENTITY nssFailure2.longDesc "
>  <ul>
>    <li>The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.</li>
> -  <li>Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.</li>

This is a good fix for Fennec, because we don't even have a help menu!
Attachment #8426622 - Flags: review?(margaret.leibovic) → feedback+
Attachment #8426622 - Attachment is obsolete: true
Comment on attachment 8426698 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426698 [details] [diff] [review]:
-----------------------------------------------------------------

I think I got them all...

http://mxr.mozilla.org/mozilla-central/search?string=nssFailure2
Attachment #8426698 - Flags: review?(margaret.leibovic)
Comment on attachment 8426698 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426698 [details] [diff] [review]:
-----------------------------------------------------------------

missed one
Attachment #8426698 - Flags: review?(margaret.leibovic)
Attachment #8426698 - Attachment is obsolete: true
Comment on attachment 8426702 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426702 [details] [diff] [review]:
-----------------------------------------------------------------

One of the strings did not change, but I updated the name anyway because I'm not sure which xhtml reference which dtds.
Attachment #8426702 - Flags: review?(margaret.leibovic)
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #8)
> Comment on attachment 8426702 [details] [diff] [review]
> Do not direct every ssl error to 'Report Web Forgery' (
> 
> Review of attachment 8426702 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> One of the strings did not change, but I updated the name anyway because I'm
> not sure which xhtml reference which dtds.

It's good to update all of them because the browser/mobile .dtd files override the dom .dtd file, so the same xhtml file could be pulling from either one depending on which product is being used.

This netError stuff is confusing :/
FWIW that text is a reference to the feature we removed in bug 572695.
Comment on attachment 8426702 [details] [diff] [review]
Do not direct every ssl error to 'Report Web Forgery' (

Review of attachment 8426702 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.
Attachment #8426702 - Flags: review?(margaret.leibovic) → review+
(In reply to :Gavin Sharp (email gavin@gavinsharp.com) from comment #10)
> FWIW that text is a reference to the feature we removed in bug 572695.

I wrote that patch on my first day of full-time work at Mozilla!
https://hg.mozilla.org/mozilla-central/rev/184d497bd84a
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.