Closed Bug 1132408 Opened 10 years ago Closed 10 years ago

FF displays Secure Connection Failed (Error code: sec_error_revoked_certificate) while visiting website which seems to have valid SSL certificate.

Categories

(Web Compatibility :: Site Reports, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: John.Kitz, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20150122214805 Steps to reproduce: Went to www.geldvoorelkaar.nl and then clicked on "Mijn geldvoorelkaar" in the menu at the top of the page in order to logon. Actual results: The following error message is shown: "Secure Connection Failed An error occurred during a connection to www.geldvoorelkaar.nl. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem." Expected results: The logon page should have been displayed. Please note, I opened the same website in Internet Explorer and displayed the SSL certificate as being valid from 5th of February 2015 to 7th of March 2017. Also please note that I checked the security flag of this bug since I don't know whether there may be larger security implications related to this.
Summary: FF displays Secure Connection Failed (Error code: sec_error_revoked_certificate) while visiting website which seems to have valid SSl certificate. → FF displays Secure Connection Failed (Error code: sec_error_revoked_certificate) while visiting website which seems to have valid SSL certificate.
This isn't a Firefox security issue, so I'm unhiding the bug. Here's a source to confirm the certificate has been revoked: https://www.ssllabs.com/ssltest/analyze.html?d=geldvoorelkaar.nl&latest This is an issue with the website. If you have contacts with the website in question (via their customer support or something like this) it would be good to let them know.
Group: core-security
Component: Untriaged → Desktop
Product: Firefox → Tech Evangelism
Version: 35 Branch → Trunk
During the course of the day the issue seems to have resolved itself without any apparent reason. Possibly someone kicked something, like engineers sometimes do ;-), which did the trick. I'd be happy to point out any issues to those responsible for the site in question provided that you let me know what in particular from the slew of information provided by the test in comment 1 the issue is that they should address.
Flags: needinfo?(gijskruitbosch+bugs)
Informed contacts of the website today, referring to this bus report. While doing so the following came to mind: It is my understanding that you cleared the security flag of this bug that I had set (please correct me if I'm wrong) since the issue reported doesn't appear to contain any security issues or vulnerabilities with regards to a Mozilla product. Wouldn't it be prudent and in line with responsible disclosure practices to provide for some sort of flag in bugzilla similar to the security flag in order to treat bugs that do contain information that may have security implications for products or services of manufacturers or service providers other than Mozilla with the same or similar care as bugs related to Mozilla products with the security flag set?
(In reply to John Kitz from comment #3) > Informed contacts of the website today, referring to this bus report. > > While doing so the following came to mind: It is my understanding that you > cleared the security flag of this bug that I had set (please correct me if > I'm wrong) since the issue reported doesn't appear to contain any security > issues or vulnerabilities with regards to a Mozilla product. Wouldn't it be > prudent and in line with responsible disclosure practices to provide for > some sort of flag in bugzilla similar to the security flag in order to treat > bugs that do contain information that may have security implications for > products or services of manufacturers or service providers other than > Mozilla with the same or similar care as bugs related to Mozilla products > with the security flag set? We use the flag for security issues in other products, too, if they are reported to us, and practice responsible disclosure. However, this in and of itself wasn't a *security* issue in the site in question. The site was neglecting to *authenticate* itself correctly (as it used a revoked certificate). That doesn't of itself make the site (or its customers) vulnerable to attack, and was also public knowledge (anyone connecting to the site could trivially obtain this information, like the ssl labs report showed). IE's behaviour here (not doing revocation checks by default) is also well known and not a security vulnerability that I thought we needed to keep hidden. I therefore saw no reason to keep the bug hidden. Unhiding bugs makes it easier for people not in the select group that can see the hidden issue to contribute to a diagnosis and fix. I hope this helps make clear why I opened up the report. The issue seems to be fixed now, so I guess this can be closed. :-)
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(gijskruitbosch+bugs)
Resolution: --- → WORKSFORME
Looking at the report from SSL Labs to which you refer in comment 1 and comparing it to the results of the same tests run against other sites it would seem that there are still several issues related to the use of SSL and related protocols on the site in question which should be addressed. My comments re. responsible disclosure resulted from the fact that I can't judge if and if so to what extent the issues in the report are such that they may be exploited in any way. While I understand your rational re. unhiding bugs, I personally favor the rational that doesn't put whoever needs to solve issues like these under unnecessary pressure while working on a resolution possibly leading to additional glitches or worse f@#$%-ups in the process. From a Mozilla perspective this bug may be marked resolved, however it does look like there is still some work involved for whoever manages the site. Tnx for looking into this and your resulting remarks.
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.