Created attachment 8690083 [details] viewCert.jpg User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Attempted to view certificate information Actual results: Cert window appears, all fields blank, view cert button does not work Expected results: Fields should have info. Cert should be shown when clicking view cert Possibly related to Bug 1214526?
All fields in "Privacy & History" have a value of "Unknown", so the Page Info window is likely broken. Please tell us on which pages exactly that happens or if on every page. Please also do the following: 1. Load the page. 2. Open Tools > Web developer > Browser console. 3. Check everything under "JS". 4. Clear the browser console. 5. Open the Page Info window like you did for comment 0. 6. Check the browser console. Are there any errors listed? If yes, please select and paste them here. Thank you.
Seems to happen on all pages. Every page I attempt to view cert info for fails Screen shots of page names with issue were shown in attachment. Browser console JS showed the following: JS console for https://bugzilla.mozilla.org/ This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] www.google.com Found hi-entropy localStorage: 61.049554095004076 bits "https://login.persona.org/communication_iframe" returnTo communication_iframe:65:1 JS console for https://www.google.com/ This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] www.google.com Found hi-entropy localStorage: 92.24620679257023 bits "https://www.google.com/" lv www.google.com:65:1
Can you also reproduce the issue if you launch Firefox in its Safe Mode? See https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode Thank you for checking this.
Created attachment 8690460 [details] GoogleByKaspersky.jpg Under safe mode: Bugzilla cert DOES show "more info", but Google cert still does NOT Normal mode, disabled half my add-ons, bugzilla cert failing again. Normal mode, reenabled first half, disabled other half my add-ons, eventually found disabling AIOS (All in one Sidebar) extension was causing bugzilla cert to fail. Confirmed add-on author is aware of this issue https://github.com/AddonLab/AiOS/issues/93 But all this time, even in safe mode, the Google cert was still never showing "more info" Research directed me to this method for investigating cert issues within Firefox chrome://pippki/content/exceptionDialog.xul There you can paste in a URL and also view certificate. This method seems to work differently than clicking padlock in address bar as it sometimes gives different results. What I found was very disturbing. The Google cert was being impersonated by Kaspersky antivirus. Disabling Kaspersky "web protection" component and using the chrome://pippki method finally showed the real Google cert issue by Google CA. However, with Kaspersky "web protection" the simple cert viewing method of clicking the padlock in the address bar still shows null fields and does nothing when clicking "view certificate" Also ran across this interesting post, about multiple antivirus vendors intercepting SSL traffic https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html >There's one more interesting thing: Both Kaspersky and Avast don't intercept traffic when Extended Validation (EV) certificates are used. I don't mind an antivirus product inspecting URLs for malicious site names, but I feel decrypting the contents of my secure data to be a step too far. Yes, I understand there is some risk in the event of outbound malware SSL communication. I have a rather good understanding of PKI certificates, manage a PKI at my office. We use McAfee at the office, which I have my issues with, and do not want to use at home. I realize this is now completely out of the Firefox ball park here... So this is just a a side question in case someone knows... Can anyone cite a source that compares antivirus products and whether or not they do certificate impersonation?
Thank you for investigating and explaining the results here. Every anti-virus product which wants to check web pages or data traffic for malware will do this, but in general they allow to turn it off.
2 years ago
Created attachment 8690516 [details] kaspersky root certificate .crt Root certificate obtained by community member from trial version of Kaspersky Internet Security 2016 obtained from http://www.kaspersky.com/free-trials/internet-security
Craig, can you attach to this bug one of the certificates that causes this failure? (the end-entity, not the root) Thanks.
Please see comment 7.
It's been 9 months since comment 8, so closing as INCOMPLETE for now. Feel free to reopen if this is still reproducible.