If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Certificate "more information" and "View certificate" not working

RESOLVED INCOMPLETE

Status

()

Firefox
Security
RESOLVED INCOMPLETE
2 years ago
8 months ago

People

(Reporter: FyreUser, Unassigned, NeedInfo)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

2 years ago
Created attachment 8690083 [details]
viewCert.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

Attempted to view certificate information


Actual results:

Cert window appears, all fields blank, view cert button does not work


Expected results:

Fields should have info. Cert should be shown when clicking view cert
Possibly related to Bug 1214526?
All fields in "Privacy & History" have a value of "Unknown", so the Page Info window is likely broken.

Please tell us on which pages exactly that happens or if on every page.

Please also do the following:
1. Load the page.
2. Open Tools > Web developer > Browser console.
3. Check everything under "JS".
4. Clear the browser console.
5. Open the Page Info window like you did for comment 0.
6. Check the browser console. Are there any errors listed? If yes, please select and paste them here. Thank you.
Component: Untriaged → Page Info Window
Flags: needinfo?(csw620)
(Reporter)

Comment 2

2 years ago
Seems to happen on all pages.
Every page I attempt to view cert info for fails
Screen shots of page names with issue were shown in attachment.
Browser console JS showed the following:

JS console for https://bugzilla.mozilla.org/
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] www.google.com
Found hi-entropy localStorage:  61.049554095004076  bits "https://login.persona.org/communication_iframe" returnTo communication_iframe:65:1

JS console for https://www.google.com/
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] www.google.com
Found hi-entropy localStorage:  92.24620679257023  bits "https://www.google.com/" lv www.google.com:65:1
Flags: needinfo?(csw620)
Can you also reproduce the issue if you launch Firefox in its Safe Mode? See https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode Thank you for checking this.
Flags: needinfo?(csw620)
(Reporter)

Comment 4

2 years ago
Created attachment 8690460 [details]
GoogleByKaspersky.jpg


Under safe mode: Bugzilla cert DOES show "more info", but Google cert still does NOT
Normal mode, disabled half my add-ons, bugzilla cert failing again.
Normal mode, reenabled first half, disabled other half my add-ons, eventually found disabling AIOS (All in one Sidebar) extension was causing bugzilla cert to fail.
Confirmed add-on author is aware of this issue
https://github.com/AddonLab/AiOS/issues/93

But all this time, even in safe mode, the Google cert was still never showing "more info"
Research directed me to this method for investigating cert issues within Firefox
chrome://pippki/content/exceptionDialog.xul
There you can paste in a URL and also view certificate.
This method seems to work differently than clicking padlock in address bar as it sometimes gives different results.

What I found was very disturbing.
The Google cert was being impersonated by Kaspersky antivirus.
Disabling Kaspersky "web protection" component and using the chrome://pippki method finally showed the real Google cert issue by Google CA.
However, with Kaspersky "web protection" the simple cert viewing method of clicking the padlock in the address bar still shows null fields and does nothing when clicking "view certificate"

Also ran across this interesting post, about multiple antivirus vendors intercepting SSL traffic
https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html
>There's one more interesting thing: Both Kaspersky and Avast don't intercept traffic when Extended Validation (EV) certificates are used. 

I don't mind an antivirus product inspecting URLs for malicious site names, but I feel decrypting the contents of my secure data to be a step too far. Yes, I understand there is some risk in the event of outbound malware SSL communication.
I have a rather good understanding of PKI certificates, manage a PKI at my office.
We use McAfee at the office, which I have my issues with, and do not want to use at home.
I realize this is now completely out of the Firefox ball park here... So this is just a a side question in case someone knows...
Can anyone cite a source that compares antivirus products and whether or not they do certificate impersonation?
Flags: needinfo?(csw620)
Thank you for investigating and explaining the results here. Every anti-virus product which wants to check web pages or data traffic for malware will do this, but in general they allow to turn it off.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Created attachment 8690516 [details]
kaspersky root certificate .crt

Root certificate obtained by community member from trial version of Kaspersky Internet Security 2016 obtained from http://www.kaspersky.com/free-trials/internet-security

Updated

2 years ago
Component: Page Info Window → Security
Craig, can you attach to this bug one of the certificates that causes this failure? (the end-entity, not the root) Thanks.
Flags: needinfo?(csw620+bugzilla)
(Reporter)

Updated

2 years ago
Group: firefox-core-security
Flags: needinfo?(fhloston)

Updated

2 years ago
Group: firefox-core-security

Comment 8

2 years ago
Please see comment 7.
Flags: needinfo?(fhloston)

Comment 9

9 months ago
It's been 9 months since comment 8, so closing as INCOMPLETE for now.
Feel free to reopen if this is still reproducible.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago9 months ago
Resolution: --- → INCOMPLETE
See Also: → bug 1333532
You need to log in before you can comment on or make changes to this bug.