Failed/Untrusted HTTPS connection is reported as successful (200 Connection Established)

UNCONFIRMED
Unassigned

Status

P3
normal
UNCONFIRMED
3 years ago
2 months ago

People

(Reporter: david+bugzilla, Unassigned)

Tracking

46 Branch

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160202004008

Steps to reproduce:

Try to connect to a site for which Firefox enforces HSTS (preconfigured/previously visited). This time however, provide an invalid certificate to that site.


Actual results:

Site refuses to load (good).
The network pane of the dev tools report 200 Connection Established and no security warning is issues in the log. (bad)

In my case, the issue occurred when I had to implemented some Google tracking on a company's website and their firewall blocks/hijacks googleadservices.com for tracking protection (oh the irony). googleadservices.com is part of FF's preloaded HSTS list. Upon testing whether what I just implemented worked, I ran into this bug.


Expected results:

Network and log should report such failed connections correctly.
(Reporter)

Comment 1

3 years ago
Created attachment 8715217 [details]
showcase

Comment 2

3 years ago
I saw many people reporting this issue on community boards.

Updated

3 years ago
Component: Untriaged → Networking
Product: Firefox → Core
Component: Networking → Developer Tools
Product: Core → Firefox
Component: Developer Tools → Developer Tools: Netmonitor
Created attachment 8715336 [details]
badssl-netmonitor.png

For https://expired.badssl.com/ and also https://subdomain.preloaded-hsts.badssl.com/ I'm seeing no status show up in the netmonitor - as if the request is still pending.
(In reply to David from comment #0)
> In my case, the issue occurred when I had to implemented some Google
> tracking on a company's website and their firewall blocks/hijacks
> googleadservices.com for tracking protection (oh the irony).
> googleadservices.com is part of FF's preloaded HSTS list. Upon testing
> whether what I just implemented worked, I ran into this bug.

I'm not sure how to reproduce this scenario locally so I haven't been able to confirm the '200' problem you are seeing.  Let me know if you have any ideas how to do that.  But I've seen a different variety of buginess in Comment 3

Comment 5

3 years ago
WFM on Fx45b3, 46.0a2 and 47.0a1.

Step:
Visit http://hsts.badssl.com/, the works fine, add the "63.245.215.20 hsts.badssl.com" line to hosts file, Ctrl+F5 (also clear DNS cache if needs), the error screen shown, the devtools - network shown the comment 3.
(Reporter)

Comment 6

3 years ago
(In reply to Brian Grinstead [:bgrins] from comment #4)
> (In reply to David from comment #0)
> > In my case, the issue occurred when I had to implemented some Google
> > tracking on a company's website and their firewall blocks/hijacks
> > googleadservices.com for tracking protection (oh the irony).
> > googleadservices.com is part of FF's preloaded HSTS list. Upon testing
> > whether what I just implemented worked, I ran into this bug.
> 
> I'm not sure how to reproduce this scenario locally so I haven't been able
> to confirm the '200' problem you are seeing.  Let me know if you have any
> ideas how to do that.  But I've seen a different variety of buginess in
> Comment 3

As I am behind a proxy (http proxy, not SOCKS), it might be this constellation that causes it to report as 200:
Firefox connects to the proxy, as I try visiting a website. However, that site never gets the chance to respond as the proxy hijacks the requests and responds with an invalid certificate. Firefox rejects it, though, as it is already connected to the "site" (=proxy), it lists that connection as 200.
Just a hypothesis, not tested, but that might be the difference between my result and yours.

P.S. at work (with the proxy), https://expired.badssl.com/ and https://subdomain.preloaded-hsts.badssl.com/ result in a 200 response, despite ff rejecting it. At home, I saw the same result as you: grey, as if its still pending...
Priority: -- → P3

Updated

2 months ago
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.