Closed
Bug 128641
Opened 23 years ago
Closed 12 years ago
if user manually trusted server cert, lock icon / page info should mention it
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
Details
(Whiteboard: [kerh-ehz])
Attachments
(2 files)
View https://secure.mercuryinsurance.com/FreeQuote/
You will see the dialog "Website Certified by an Unknown Authority"
Could not verify this certificate bcause the issuer is unknown.
Certificate Version 3
Serial Number 47:67:27:87:AA:C6:74:3B:57:E9:E6:E0:A9:58:9F:3B
Certificate Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer
OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
OU = VeriSign International Server CA - Class 3
OU = VeriSign, Inc.
O = VeriSign Trust Network
Click continue on the dialog and then on the lock icon on the page and you will see
Web Site Identity Verified
The web site secure.mercuryinsurance.com supports authentication for the page
you are viewing. The identity of this web site has been verified by VeriSign
Trust Network, a certificate authority you trust for this purpose.
2002022703/win2k and winxp
|
||
Comment 1•23 years ago
|
||
Bob, Ian,
Could you take a look at this problem? Thanks.
Assignee: wtc → relyea
|
||
Comment 2•23 years ago
|
||
Ian, is this sounds like the same problem I described to you.
bob
|
|
||
Comment 3•23 years ago
|
||
Set target milestone 3.4, priority P1.
Priority: -- → P1
Target Milestone: --- → 3.4
|
||
Comment 4•23 years ago
|
||
Bob, which problem?
I'm not sure this is an NSS bug. The issuer of this certificate is an
intermediate, signed by a trusted root. However, the server is not sending the
intermediate cert, so there is no way for NSS to ascertain to which root the
cert chains. If I try this with 0.9.8, I receive the same warning. I believe
the client is behaving properly.
Will attach ssltap output. Note that the server is only sending the server cert.
|
|
||
Comment 5•23 years ago
|
||
|
|
||
Comment 6•23 years ago
|
||
|
|
||
Comment 7•23 years ago
|
||
If you accept Mercury's SSL cert for the connection, you'll see it was issued by:
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign
Trust Network
Which itself was issued by:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Without that cert, there is no way for NSS to chain. Looks like a misconfigured
server to me.
|
|
||
Comment 8•23 years ago
|
||
Sorry, to be more clear.
The server's issuer cert is the one needed. The root is a trusted root that NSS
already has in the builtins.
|
|
||
Comment 9•23 years ago
|
||
Another note: tstclnt fails in the same manner with NSS 3.3.2, so this is not a
3.4 regression (if it is even a bug).
|
Reporter | |
Comment 10•23 years ago
|
||
See also bug 121534.
I do think the warning dialog and the result of clicking the lock icon should be
consistent. Perhaps this is an evangelism issue on the misconfigured server but
perhaps also a bug on the alert/icon disagreement.
|
|
||
Comment 11•23 years ago
|
||
I agree with you, but that's a PSM issue, not an NSS one. Wan-Teh, I'll let you
switch it over.
|
|
||
Comment 12•23 years ago
|
||
Ian, thank you for investigating this problem.
Changing the product to PSM for the alert/icon disagreement
described in comment #10.
Assignee: relyea → ssaux
Component: Libraries → Client Library
Product: NSS → PSM
QA Contact: sonja.mirtitsch → junruh
Target Milestone: 3.4 → ---
|
|
||
Comment 13•23 years ago
|
||
Sorry Ian, I thought it was the unknown issuer problem we ran into today (where
we werent' finding issuers in the database).
The problem described is a known issue. There is very little that PSM can do
because there is no way to know the difference between a missing intermediate
and a missing root (you can have arbitrary numbers of Certs between the server
cert and it's signer). This problem exists for clean installations of IE and
Communicator 4.x as well. On IE it's self healing because IE stuffs intermediate
certs into it's cert store as it sees them, which is why the mecuryinsurance has
gotten away with their misconfigured server.
The only issue may be the confusion when the lock icon is clicked on a cert that
is verified 'by user acceptance'. Our old UI said 'signed by'. We should either:
1) go back to 'signed by'.
2) go back to 'signed by' if the user clicked to explicitly trust the cert.
3) say 'Verified by user' if the user clicked to explicitly trust the cert.
I would vote for some combination of 2 & 3 as ideal, but I think all are acceptable.
bob
bob
|
||
Comment 14•23 years ago
|
||
created tech evangelism bug 128920 regarding the misconfigured server.
Changing the summary of this bug to address the issue of what should be the
behavior of the lock icon when it's set as a result of the user manually
accepting the ssl connection after an SSL warning.
Cases:
Missing Intermediate CA (Unrecognized CA)
Untrusted CA.
Mismatched names.
Expired cert.
We should remember the fact that the trust was manual.
Keywords: nsbeta1
Summary: Unrecognized Authority Warning for Trusted Issuer → lock icon should say when user decided to manually trust server cert.
Target Milestone: --- → 2.2
|
|
||
Updated•23 years ago
|
|
||
Comment 15•23 years ago
|
||
Both the lock icon and the information shown in page info security should
mention if the user decided to manually trust a server cert. Changing summary.
|
|
||
Comment 16•23 years ago
|
||
*** Bug 139533 has been marked as a duplicate of this bug. ***
|
|
||
Updated•19 years ago
|
Whiteboard: [kerh-ehz]
|
||
Comment 18•19 years ago
|
||
This problem is caused by the server not being configured to send the chaining cert for the Verisign international CA, which is used for their SGC certificates (the expensive certs that used to be needed to promote "export" browsers with 40 bit SSL to 128 bits). While there's no general solution to figuring out when an arbitrary chaining cert is missing, the culprit is this specific cert often enough that it might worth putting in a special kludge to recognize when it happens with this specific cert. Alternatively, add the cert to the trusted root list, since the 40 bit step-up issue has gone away and pretty much all browsers support 128 bits for every cert now. (Better confirm with Verisign before adding that cert to the root list).
|
|
||
Comment 19•19 years ago
|
||
changing obsolete psm* target to --- (unspecified)
Target Milestone: psm2.2 → ---
|
||
Updated•18 years ago
|
QA Contact: junruh → ui
|
||
Comment 20•12 years ago
|
||
The URL in the description seems to have a valid cert now.
However, I tested the following scenarios and websites on a Firefox 22 Nightly:
Untrusted CA (sec_error_untrusted_issuer)
https://mikestoolbox.net
Mismatched Name (ssl_error_bad_cert_domain)
https://www.cracked.com/
Expired Cert (sec_error_expired_certificate)
https://codingteam.net
Adding an exception and clicking the lock icon in the address bar for each site now clearly states: "You have added a security exception for this site."
So I'm guessing this can be resolved?
|
|
Reporter | |
Comment 21•12 years ago
|
||
agreed. thanks, Cykesiopka. -> WFM
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•