Open Bug 1134086 Opened 8 years ago Updated 2 months ago

Firefox should not display "Broken Security" message and cipher suites if the top level page does not use a weak encryption

Categories

(Firefox :: Security, defect)

defect

Tracking

()

People

(Reporter: emk, Unassigned)

References

()

Details

Steps to reproduce:
1. Open <https://mega.co.nz/>. An exclamation mark in grey triangle icon will be shown in the url bar
2. Click the grey triangle icon.
3. Click "More Information..."

Actual result:
Broken Encryption (TLS_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.2)

Expected result:
Connection Partially Encrypted

The current message is confusing because TLS_RSA_WITH_AES_256_CBC_SHA itself is not broken. It's RC4 from a subresource.
I'm seeing the same thing when I try to pay via paypal from third-party sites that allow paying via paypal as an option.  When the paypal login screen comes up, I have a grey triangle exclamation point icon in the URL bar.  Clicking on it to get more information tells me:

Broken Encryption (TLS_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.2)
Should have said:  this is with 38.0.5
Just experienced the same thing.
Using version 42.0
It just happened in the portuguese (pt-pt) version of Firefox (my native language).

https://www.rt.com/news/323049-third-bomber-paris-stadium/ 

Showing a "Broken Encryption". 
In the certificate details windows, it's showing SHA-256 and not SHA-1, so i don't get why it's doing that.
Opened in safe mode: same thing.

Tried an english portable version (also 42.0) and it shows correctly "Connection Partially Encrypted"
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.