Closed
Bug 1138712
Opened 10 years ago
Closed 10 years ago
https page with geotrust ssl site seal shows insecure warning when it shouldn't be
Categories
(Firefox :: Security, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 1137677
People
(Reporter: takoyaki.box, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150222232811
Steps to reproduce:
In v36 of firefox, when i go to the below GeoTrust SSL certificate site verification page, where all items on the pages are loaded with HTTPS protocol already, firefox shows the grey triangle with exclamation point icon in the address bar. But the expected behaviour should be to show the dark grey lock icon because all items on the page are loaded with a secure HTTPS connection, as verified by Firebug.
https://smarticon.geotrust.com/smarticonprofile?Referer=https://www.grillspot.com
Related issue, on our website (https://www.grillspot.com) with the GeoTrust SSL certificate site seal, which links to an image generated from the "smarticon.geotrust.com" domain, with HTTPS protocol, the address bar show the grey triangle with exclamation mark indicating there are items on the page loaded with an insecure connection. Once the site seal is removed, our website shows the grey lock icon without problems.
I contacted GeoTrust and from their testing, they can also replicate this issue at v36 of Firefox, but not older Firefox version, such as v35. Other browsers - Chrome, and IE, also do not have this issue. They advise reporting this to Firefox support as there should not be any issues with GeoTrust SSL certificates and their site seals.
So somehow v36 is unable to recognize the items from GeoTrust's "smarticon.geotrust.com" as secured items.
My broswer: Firefox v36.0 on Windows XP - did not have this issue in previous Firefox versions and on other broswers
Actual results:
Go to https://smarticon.geotrust.com/smarticonprofile?Referer=https://www.grillspot.com
SSL icon on address bar: grey triangle with exclamation mark
Clicking on the icon > More Information -
Website Identify > Verified by: Not specified.
Technical Details:
Connection Partially Encrypted
Parts of the page you are viewing were not encrypted or the encryption is not strong enough before being transmitted over the Internet.
Expected results:
Go to https://smarticon.geotrust.com/smarticonprofile?Referer=https://www.grillspot.com
SSL icon on address bar: dark grey lock icon
Clicking on the icon > More Information -
Website Identify > Verified by: GeoTrust Inc.
Connection Encrypted
The page you are viewing was encrypted before being transmitted over the Internet.
Reporter | ||
Updated•10 years ago
|
Component: Untriaged → Security
Flags: sec-review?
Flags: a11y-review?
Keywords: csectype-other,
wsec-other
Comment 1•10 years ago
|
||
The geotrust issues are being tracked in bug 1137677.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: sec-review?
Flags: a11y-review?
Keywords: csectype-other,
wsec-other
Resolution: --- → DUPLICATE
Comment 2•10 years ago
|
||
Because smarticon.geotrust.com is TLS 1.2 intolerant and prefers RC4. If the server is TLS 1.2 intolerant, we will send fallback handshakes with RC4 ciphersuites. Then smarticon.geotrust.com will pick RC4 because of the preference.
Geotrust should either fix the intolerance or stop using RC4.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•