Closed Bug 1145183 Opened 9 years ago Closed 9 years ago

www.children.org is RC4 only

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dsmith, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

Go to www.children.org
From the top navigation select "Ways to Give" and then "Donate Now"
Click any of the Donate Now buttons on this page.
Now on the transaction page (and all pages before this as well) the site shows as not secure in Firefox 36.0.1 but current versions of Chrome and IE show the site as secure.  Additionally, http://www.networking4all.com/en/support/tools/site+check/
says that "SSL Certificate correctly installed" and "This certificate should be trusted by all major web browsers".


Actual results:

The site shows as not secure in Firefox 36.0.1 but current versions of Chrome and IE show the site as secure


Expected results:

The site should show as secure since the certificate seems to be in order and correctly installed.  I realize that SHA-1 hash is being fazed out in the near future but it should not have an effect on the site now according to the Mozilla documentation that I have seen.
URL: www.children.org
SSL analysis: https://www.ssllabs.com/ssltest/analyze.html?d=children.org

In FF39, I got:
An error occurred during a connection to www.children.org. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
URL: www.children.orghttps://www.children.org/donate-to-ch...
Component: Untriaged → Security: PSM
Product: Firefox → Core
Doug: Thanks for the report!

(In reply to Loic from comment #1)
> SSL analysis: https://www.ssllabs.com/ssltest/analyze.html?d=children.org
> 
> In FF39, I got:
> An error occurred during a connection to www.children.org. Cannot
> communicate securely with peer: no common encryption algorithm(s). (Error
> code: ssl_error_no_cypher_overlap)

Indeed, this points to the actual cause of the lack of EV status.
Starting in Firefox 36, servers that are RC4 only will show the warning icon, even if the cert is good.
The server needs to enable more secure cipher suites, since RC4 really can't be called secure anymore.
Blocks: RC4-Dependence
Status: UNCONFIRMED → NEW
Component: Security: PSM → Desktop
Ever confirmed: true
OS: Windows 7 → All
Product: Core → Tech Evangelism
Hardware: x86 → All
Summary: www.children.org has an ssl certificate with EV and is using SHA-1 with RSA but is not showing as secure in the location bar → www.children.org is RC4 only
Version: 36 Branch → unspecified
Fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.