Closed Bug 1138712 Opened 10 years ago Closed 10 years ago

https page with geotrust ssl site seal shows insecure warning when it shouldn't be

Categories

(Firefox :: Security, defect)

36 Branch
x86
Windows XP
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 1137677

People

(Reporter: takoyaki.box, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150222232811 Steps to reproduce: In v36 of firefox, when i go to the below GeoTrust SSL certificate site verification page, where all items on the pages are loaded with HTTPS protocol already, firefox shows the grey triangle with exclamation point icon in the address bar. But the expected behaviour should be to show the dark grey lock icon because all items on the page are loaded with a secure HTTPS connection, as verified by Firebug. https://smarticon.geotrust.com/smarticonprofile?Referer=https://www.grillspot.com Related issue, on our website (https://www.grillspot.com) with the GeoTrust SSL certificate site seal, which links to an image generated from the "smarticon.geotrust.com" domain, with HTTPS protocol, the address bar show the grey triangle with exclamation mark indicating there are items on the page loaded with an insecure connection. Once the site seal is removed, our website shows the grey lock icon without problems. I contacted GeoTrust and from their testing, they can also replicate this issue at v36 of Firefox, but not older Firefox version, such as v35. Other browsers - Chrome, and IE, also do not have this issue. They advise reporting this to Firefox support as there should not be any issues with GeoTrust SSL certificates and their site seals. So somehow v36 is unable to recognize the items from GeoTrust's "smarticon.geotrust.com" as secured items. My broswer: Firefox v36.0 on Windows XP - did not have this issue in previous Firefox versions and on other broswers Actual results: Go to https://smarticon.geotrust.com/smarticonprofile?Referer=https://www.grillspot.com SSL icon on address bar: grey triangle with exclamation mark Clicking on the icon > More Information - Website Identify > Verified by: Not specified. Technical Details: Connection Partially Encrypted Parts of the page you are viewing were not encrypted or the encryption is not strong enough before being transmitted over the Internet. Expected results: Go to https://smarticon.geotrust.com/smarticonprofile?Referer=https://www.grillspot.com SSL icon on address bar: dark grey lock icon Clicking on the icon > More Information - Website Identify > Verified by: GeoTrust Inc. Connection Encrypted The page you are viewing was encrypted before being transmitted over the Internet.
Component: Untriaged → Security
Flags: sec-review?
Flags: a11y-review?
The geotrust issues are being tracked in bug 1137677.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: sec-review?
Flags: a11y-review?
Resolution: --- → DUPLICATE
Because smarticon.geotrust.com is TLS 1.2 intolerant and prefers RC4. If the server is TLS 1.2 intolerant, we will send fallback handshakes with RC4 ciphersuites. Then smarticon.geotrust.com will pick RC4 because of the preference. Geotrust should either fix the intolerance or stop using RC4.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.