If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Insecure connection not received when SSL certificate is removed

RESOLVED WORKSFORME

Status

()

Core
Security: PSM
RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: alindeac, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
All
Windows 8.1
Points:
---

Firefox Tracking Flags

(firefox48 affected)

Details

Attachments

(1 attachment)

[Note]:
- Issue found on the Nightly try build from:
https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-68763a0d343f41ad9370f145abacf55068334806/

Mozilla/5.0 (Windows NT 6.3; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID:20160210105908

[Affected versions]:
- Nightly 47.0a1

[Affected platforms]:
- Windows 8.1

[Steps to reproduce]:
1. On Windows 8.1 create a Child Account and Log in
2. Install the Nightly try build 
3. Launch Nightly
4. Go to about:config and add the preference "security.family_safety.mode" = 2
5. Restart Firefox
6. Open a new tab and navigate to https://yahoo.com 
7. In a new tab, go to about:config and set the preference "security.family_safety.mode" to 0
8. Restart Nightly
9. Open it again and choose to restore the previous session.


[Expected result]:
Because by setting the preference "security.family_safety.mode" to 0 the Family Safety certificate is removed from the FX certificate store, the Yahoo page should open with Insecure Connection message.

[Actual result]:
Yahoo opens just fine (Ctrl+F5 doesn't help - the page is still opened), user can navigate to Yahoo.
If instead of restoring the previous session you open a new tab and navigate to Yahoo -> the Insecure connection page is displayed.


[Regression range]:
It's not a regression, was added with the Child Mode Feature.
No longer blocks: 1239166
Blocks: 1259463
After restoring the previous session, if I switch to the yahoo tab, it does display until I refresh it (and then I see the "this page is not secure message"). Can you confirm this is what you're seeing? If so, this is a known issue (bug 660749). (Perhaps try with a more recent build: https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-2c114e65c871c037f77babda41eebfff544a77f2/ )
Flags: needinfo?(simona.marcu)
Created attachment 8736260 [details]
2016-03-30 12h54_04.mp4

Hi David,

Please see the attached screen cast for more details. To Refresh the Yahoo page, I used the following methods:
- keyboard shortcut: Ctrl+F5 
- keyboard shortcut: Ctrl+R
- keyboard shortcut: F5
- the context menu Refresh button
- the Refresh button located in the URL tab.

The issue is also reproducible on the try builds from:
https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-2c114e65c871c037f77babda41eebfff544a77f2/

https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-0178e1dc8e743c5856e36d92d5dab93abb2601ad/

Thank you,
Simona
Flags: needinfo?(simona.marcu)
Interesting - it looks like the Family Safety feature doesn't intercept connections to ro.yahoo.com, but does (sometimes?) for www.yahoo.com (you can verify this by clicking the lock icon and then the right arrow button - for ro.yahoo.com, it says "Verified by: Symantec Corporation" for me, but for www.yahoo.com, it (sometimes) says "Verified by: Microsoft Family Safety"). (The feature doesn't intercept connections to all sites for some reason. For example, twitter.com works without importing the root.) As far as I've found, duckduckgo.com is consistently intercepted, so maybe that would be a good test site.

In short, for any https site where you're expecting it to not work because the root hasn't been imported, it would be good to first check what Firefox thinks the issuer of the certificate is using the lock icon drop-down.
(In reply to David Keeler [:keeler] (use needinfo?) from comment #3)
> Interesting - it looks like the Family Safety feature doesn't intercept
> connections to ro.yahoo.com, but does (sometimes?) for www.yahoo.com (you
> can verify this by clicking the lock icon and then the right arrow button -
> for ro.yahoo.com, it says "Verified by: Symantec Corporation" for me, but
> for www.yahoo.com, it (sometimes) says "Verified by: Microsoft Family
> Safety"). (The feature doesn't intercept connections to all sites for some
> reason. For example, twitter.com works without importing the root.) As far
> as I've found, duckduckgo.com is consistently intercepted, so maybe that
> would be a good test site.
 
Indeed, the connection to ro.yahoo.com is not intercepted by the Family Safety feature (as duckduckgo.com is), I also see that is "Verified by: Symantec Corporation".  

> In short, for any https site where you're expecting it to not work because
> the root hasn't been imported, it would be good to first check what Firefox
> thinks the issuer of the certificate is using the lock icon drop-down.

I will do that.
Ok - great. Sounds like this is WFM then.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.