Closed
Bug 128641
Opened 23 years ago
Closed 11 years ago
if user manually trusted server cert, lock icon / page info should mention it
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [kerh-ehz])
Attachments
(2 files)
View https://secure.mercuryinsurance.com/FreeQuote/ You will see the dialog "Website Certified by an Unknown Authority" Could not verify this certificate bcause the issuer is unknown. Certificate Version 3 Serial Number 47:67:27:87:AA:C6:74:3B:57:E9:E6:E0:A9:58:9F:3B Certificate Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign OU = VeriSign International Server CA - Class 3 OU = VeriSign, Inc. O = VeriSign Trust Network Click continue on the dialog and then on the lock icon on the page and you will see Web Site Identity Verified The web site secure.mercuryinsurance.com supports authentication for the page you are viewing. The identity of this web site has been verified by VeriSign Trust Network, a certificate authority you trust for this purpose. 2002022703/win2k and winxp
Comment 1•23 years ago
|
||
Bob, Ian, Could you take a look at this problem? Thanks.
Assignee: wtc → relyea
Comment 2•23 years ago
|
||
Ian, is this sounds like the same problem I described to you. bob
Comment 3•23 years ago
|
||
Set target milestone 3.4, priority P1.
Priority: -- → P1
Target Milestone: --- → 3.4
Comment 4•23 years ago
|
||
Bob, which problem? I'm not sure this is an NSS bug. The issuer of this certificate is an intermediate, signed by a trusted root. However, the server is not sending the intermediate cert, so there is no way for NSS to ascertain to which root the cert chains. If I try this with 0.9.8, I receive the same warning. I believe the client is behaving properly. Will attach ssltap output. Note that the server is only sending the server cert.
Comment 5•23 years ago
|
||
Comment 6•23 years ago
|
||
Comment 7•23 years ago
|
||
If you accept Mercury's SSL cert for the connection, you'll see it was issued by: Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network Which itself was issued by: Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Without that cert, there is no way for NSS to chain. Looks like a misconfigured server to me.
Comment 8•23 years ago
|
||
Sorry, to be more clear. The server's issuer cert is the one needed. The root is a trusted root that NSS already has in the builtins.
Comment 9•23 years ago
|
||
Another note: tstclnt fails in the same manner with NSS 3.3.2, so this is not a 3.4 regression (if it is even a bug).
Reporter | ||
Comment 10•23 years ago
|
||
See also bug 121534. I do think the warning dialog and the result of clicking the lock icon should be consistent. Perhaps this is an evangelism issue on the misconfigured server but perhaps also a bug on the alert/icon disagreement.
Comment 11•23 years ago
|
||
I agree with you, but that's a PSM issue, not an NSS one. Wan-Teh, I'll let you switch it over.
Comment 12•23 years ago
|
||
Ian, thank you for investigating this problem. Changing the product to PSM for the alert/icon disagreement described in comment #10.
Assignee: relyea → ssaux
Component: Libraries → Client Library
Product: NSS → PSM
QA Contact: sonja.mirtitsch → junruh
Target Milestone: 3.4 → ---
Comment 13•23 years ago
|
||
Sorry Ian, I thought it was the unknown issuer problem we ran into today (where we werent' finding issuers in the database). The problem described is a known issue. There is very little that PSM can do because there is no way to know the difference between a missing intermediate and a missing root (you can have arbitrary numbers of Certs between the server cert and it's signer). This problem exists for clean installations of IE and Communicator 4.x as well. On IE it's self healing because IE stuffs intermediate certs into it's cert store as it sees them, which is why the mecuryinsurance has gotten away with their misconfigured server. The only issue may be the confusion when the lock icon is clicked on a cert that is verified 'by user acceptance'. Our old UI said 'signed by'. We should either: 1) go back to 'signed by'. 2) go back to 'signed by' if the user clicked to explicitly trust the cert. 3) say 'Verified by user' if the user clicked to explicitly trust the cert. I would vote for some combination of 2 & 3 as ideal, but I think all are acceptable. bob bob
Comment 14•23 years ago
|
||
created tech evangelism bug 128920 regarding the misconfigured server. Changing the summary of this bug to address the issue of what should be the behavior of the lock icon when it's set as a result of the user manually accepting the ssl connection after an SSL warning. Cases: Missing Intermediate CA (Unrecognized CA) Untrusted CA. Mismatched names. Expired cert. We should remember the fact that the trust was manual.
Keywords: nsbeta1
Summary: Unrecognized Authority Warning for Trusted Issuer → lock icon should say when user decided to manually trust server cert.
Target Milestone: --- → 2.2
Updated•22 years ago
|
Comment 15•22 years ago
|
||
Both the lock icon and the information shown in page info security should mention if the user decided to manually trust a server cert. Changing summary.
Comment 16•22 years ago
|
||
*** Bug 139533 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Whiteboard: [kerh-ehz]
Comment 18•19 years ago
|
||
This problem is caused by the server not being configured to send the chaining cert for the Verisign international CA, which is used for their SGC certificates (the expensive certs that used to be needed to promote "export" browsers with 40 bit SSL to 128 bits). While there's no general solution to figuring out when an arbitrary chaining cert is missing, the culprit is this specific cert often enough that it might worth putting in a special kludge to recognize when it happens with this specific cert. Alternatively, add the cert to the trusted root list, since the 40 bit step-up issue has gone away and pretty much all browsers support 128 bits for every cert now. (Better confirm with Verisign before adding that cert to the root list).
Comment 19•18 years ago
|
||
changing obsolete psm* target to --- (unspecified)
Target Milestone: psm2.2 → ---
Updated•17 years ago
|
QA Contact: junruh → ui
Comment 20•11 years ago
|
||
The URL in the description seems to have a valid cert now. However, I tested the following scenarios and websites on a Firefox 22 Nightly: Untrusted CA (sec_error_untrusted_issuer) https://mikestoolbox.net Mismatched Name (ssl_error_bad_cert_domain) https://www.cracked.com/ Expired Cert (sec_error_expired_certificate) https://codingteam.net Adding an exception and clicking the lock icon in the address bar for each site now clearly states: "You have added a security exception for this site." So I'm guessing this can be resolved?
Reporter | ||
Comment 21•11 years ago
|
||
agreed. thanks, Cykesiopka. -> WFM
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•