gmail periodically gives me "weak encryption" icon, but cert seems secure




2 years ago
a year ago


(Reporter: bkelly, Unassigned)


Firefox Tracking Flags

(Not tracked)



(3 attachments)

Created attachment 8770964 [details]
Screenshot 2016-07-14 10.15.46.png

I typically run with 3 gmail accounts open.  One of these accounts seems to give me a weak encryption or mixed content warning periodically.  It looks secure on initial load, but then the next day will show the yellow triangle icon.

Looking at the info page I can't tell what is causing this.
Created attachment 8770965 [details]
security info tab screenshot
Created attachment 8770966 [details]
cert info page screenshot
The only non-https entry in the info page media tab is a data URL image:

Hmmm - is this session-restore-related? Or do you have the browser open the whole time? Also, are there any clues in the network panel in the devtools?
Flags: needinfo?(bkelly)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> Hmmm - is this session-restore-related? Or do you have the browser open the
> whole time? Also, are there any clues in the network panel in the devtools?

The browser has been open for a long time.  I don't normally keep the devtools open all the time, so whatever request triggered it is long past.  I also don't know if we show blocked requests in the devtools at all.

We really should log the URL of blocked resources somewhere.
Flags: needinfo?(bkelly)
Tanvi, any ideas?
Flags: needinfo?(tanvi)

Comment 7

2 years ago
Hmm, looks like the control center is trying to communicate two different issues here:

1) There is Mixed Active Content blocked on the page.  This is a little suprising from gmail, since I would have thought they fixed their mixed content issues.  (If you are using Nightly though, this problem alone wouldn't trigger a change to the green lock icon next to the url.  We no longer change that when just mixed active content is blocked).  Mixed Content (blocked or loaded) will show up in the security pane of the Web Console.

2) The Weak Encryption warning is what is causing the grey lock with the yellow triangle icon in the url bar.  Weak encryption can mean that the certificate is using a weak crypto algorithm.  I'm looking into what algorithms cause that warning.
Flags: needinfo?(tanvi)
What's the value of the pref "security.ssl.treat_unsafe_negotiation_as_broken" in your profile?
Flags: needinfo?(bkelly)

Comment 9

2 years ago
The weak encryption issue is also mentioned here:

But if you look at the algorithm, it is actually secure.  If I visit gmail and view the certificate info, I get the same algorithm along with a "Connection Encrypted" message instead of "Broken Encryption".

Did you change the security.ssl.treat_unsafe_negotiation_as_broken pref?  If so, then that might be the reason for Broken Encryption.

If not, I think something is giving this page a security state of STATE_IS_BROKEN.  Since no mixed content is loading, we assume it is broken for a bad cipher - - but that is not the case.  So we have to figure out why the page is getting a broken state.
From my about:config:

  security.ssl.treat_unsafe_negotiation_as_broken = false

To clarify, the tab showed a green lock originally.  After many days/weeks it turned to the yellow triangle.  A reload put it back to the green lock.

I haven't seen this reproduce in the last few weeks.

I did have some issues with my ISP intermittently throwing network requests over to an internal error page for a while.  With a different cert.  Maybe that happened on an xhr or something and triggered the warning?

Of course, then I wonder why only that 1 gmail tab got the behavior.  I have 3 gmail tabs open all the time.  It consistently affected the same gmail account tab.
Flags: needinfo?(bkelly)
This has reproduced again.  Anything I can do to investigate while the page is live in my browser?
Flags: needinfo?(tanvi)
Is there anything of note in the browser console or the web console? (Maybe any mentions of CVE-2009-3555?)

Comment 13

2 years ago
If its a mixed content issue, it will show up in the security pane of the webconsole.  I'm not sure how many of the "weak encryption" warnings show up in the console.  But the cert should help us identify that.

If you could print the state in the securityUI, that would also be helpful.  I'm not sure if there is a way to do that with the browser toolbox though.

If there is definitely nothing wrong with the cert and there is definitely no mixed content, then we may have a bug somewhere in nsSecureBrowserUIImpl.
Flags: needinfo?(tanvi)

Comment 14

2 years ago
Are you using windows, linux, or mac?  Do you have the google hangouts plugin on or off?
Flags: needinfo?(bkelly)
I haven't seen this in months.  Maybe google changed something or I am seeing different content now.  Anyway, lets WFM for now.
Last Resolved: a year ago
Flags: needinfo?(bkelly)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.