Closed Bug 1132869 Opened 9 years ago Closed 9 years ago

Successful TLS connection information not always available

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
36 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1126413

People

(Reporter: kosmo.zb, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150209164123

Steps to reproduce:

1. Browse <https://html.spec.whatwg.org/>.


Actual results:

There was a grey exclamatory triangle next to the URL.

On clicking, the popup states:

-------
This website does not supply identity information.

The connection to the website is not fully secure because it
contains unencrypted elements (such as images) or the encryption
is not strong enough.
-------

On clicking "More Information...", the window states:

-------
Website Identity:
  Website: html.spec.whatwg.org
  Owner: This website does not supply ownership information.
  Verified by: Not specified

Technical Details
  Connection Partially Encrypted
  Parts of the page you are viewing were not encrypted or the encryption is not strong enough before being transmitted over the Internet.
  Information sent over the Internet without encryption can be seen by other people while it is in transit.
-------

No "View Certificate" button is present.

Qualys doesn't seem to have a problem with showing me the certificate chain and cipher in use <https://www.ssllabs.com/ssltest/analyze.html?d=html.spec.whatwg.org>.

No specifically insecure page elements are listed in the Security tab or the Media tab.


Expected results:

The certificate received should be available (along with what, specifically, caused it to fail Firefox's check). The ciphersuite in use should be easily visible. The insecure elements or requests (if any) should be available.
https://images.whatwg.org/fingerprint.png is enough to see the issue.
The reason is that the server supports according to 
https://www.ssllabs.com/ssltest/analyze.html?d=images.whatwg.org only 

>Cipher Suites (sorted by strength; the server has no preference)
>TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK


and RC4 is considered broken according to bug 1093595 and Firefox displays the error message in the identity information from that Patch "... encryption is not strong enough"
Component: General → Security: UI
Flags: needinfo?(VYV03354)
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(VYV03354)
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.