Open Bug 1230321 Opened 9 years ago Updated 2 years ago

Firefox 42.0 shows wrong certificate issuer when reloading a page after cert has changed

Categories

(Firefox :: Site Identity, defect, P5)

Product:
Firefox
Component:
Site Identity
Version:
42 Branch
Type:
defect

Tracking

()

People

(Reporter: kiu, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

http://i.imgur.com/MsV85aO.png

1. Load page served with StartCom certificate
2. Change cert on server to letsencrypt
3. Reload page



Actual results:

Padlock info shows cert as being "StartCom" and More Information says "Lets Encrypt"


Expected results:

Both views should be in sync and show the correct issuer, in this case "Lets Encrypt"
Paolo, is this something you'd be able to look at?
Component: Untriaged → Security
Flags: needinfo?(paolo.mozmail)
10 days passed on a security related issue and no response?
Perhaps this is a cache issue. What happens if you shift-refresh the page?
Flags: needinfo?(kiu)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #3)
> Perhaps this is a cache issue. What happens if you shift-refresh the page?

Idk, dont have the setup to retry atm. If i remember correctly, the padlock view fixes itself after some time, as if the padlock view is cached somewhere (rather than the page).
Flags: needinfo?(kiu)
While I also don't have the setup to test this, I've looked at the code and can confirm that we only refresh the user interface if there is a change in the security state of the page (like whether the page has an EV certificate or not) or if the displayed URI changes.

http://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#4567

We don't refresh the interface immediately if there is a change in certificate details. Just switching tabs, however, should cause the refresh to happen. Given how uncommon this is for end users, and the possible performance impact of refreshing every time, I think we should keep the logic as is.

This is based on the current implementation, I agree that ideally it would be better to update immediately. However, this adds complexity unless we rewrite that code, and rewriting would not be a good use of our time.
Flags: needinfo?(paolo.mozmail)
Note that bug 1225299 has the same root cause. The RC4 infobar will be displayed on security state change, so it will not reappear after reload.
See Also: → 1225299
per comment 5.
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Security → Site Identity
Priority: -- → P5
Severity: minor → S4

The severity field for this bug is relatively low, S4. However, the bug has 5 duplicates.
:pbz, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(pbz)

The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.

Flags: needinfo?(pbz)
You need to log in before you can comment on or make changes to this bug.