Open Bug 1349897 Opened 7 years ago Updated 2 years ago

Overridden certificates should be marked as insecure in the identity UI

Categories

(Firefox :: Site Identity, defect, P3)

Product:
Firefox
Component:
Site Identity
Version:
52 Branch
Type:
defect

Tracking

()

People

(Reporter: marinaala, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fxprivacy])

Attachments

(1 file)

firefox.png
37.29 KB, image/png
Details
Attached image firefox.png 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170317040903

Steps to reproduce:

If someone adds an HTTPS certificate as exception there isn't any spectacular warning that it was a very bad thing to do. 


Actual results:

While Google Chrome shows this in RED and "Not Secure", see attached picture, Firefox wont warn the people about this bad choice. 


Expected results:

If the connection is MiTMed, the attacker can easily issue a self-signed cert for an HTTPS bank website, the users will accept the warning.. they don't even read if a usual window will pop up... and presto, there attacker wins. 

Firefox should also warn the users during the connection to ensure the users knows that he/she should use a banking website while there is a BIG RED text saying "Not Secure" all the time. 

This would also motivate the maintainers of the website to have a valid HTTPS certificate.
*he/she should NOT use

typo, but cannot edit afterwards..
Component: Untriaged → Site Identity and Permission Panels
Would make a great follow up to Bug 1310447. Happy to check this out.
As :Johannh and I discussed on irc:

We should also treat this as a signal to also set window.isSecureContext = false

Hopefully making a stronger correlation to [broken padlock] = isSecureContext=false.
Yeah I personally don't see much value in doing this if we don't set window.isSecureContext = false. That would also show the in-content insecure password warning and prevent use of privileged APIs.

I think we should file a bug for this in Security and get some input on the idea. Jonathan, would you like to do that?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: not valid certs should show a red warning after accepting them → Overridden certificates should be marked as insecure in the identity UI
Whiteboard: [fxprivacy] [triage]
The discussion bug for our isSecureContext work is in Bug 1350125.
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
(In reply to marina ala from comment #0)
> If someone adds an HTTPS certificate as exception there isn't any
> spectacular warning that it was a very bad thing to do. 

Because in some contexts it's a perfectly fine thing to do. Granted, the exceptions don't apply to the vast majority of people who use the web, but if it were never the correct action we would prevent overrides entirely--as we do, for example, when we know a certificate has been revoked or for an HPKP violation.
I guess it doesn't make sense to do bug 1350125 after all, but I still agree that the broken lock is a better choice for overridden certificates since HTTPS + broken lock is a unique combination while HTTPS + yellow triangle can not be told apart from passive mixed content. Those two are really not related and should not share the same icon.

IMO it's important that we allow the user to easily identify overridden certificates without digging two levels into the identity popup. I would also take this bug as an opportunity to add a gray warning text for overridden certificates in the main panel of the identity popup like we do for mixed content.
Depends on: 1351684
Blocks: 1351684
No longer depends on: 1351684
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: