Open Bug 1367599 Opened 8 years ago Updated 3 years ago

certificate error page text is misleading and/or incorrect in some cases

Categories

(Firefox :: Security, enhancement, P5)

Product:
Firefox
Component:
Security
Version:
53 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: flicknose, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce: Visited www.mozilla.org from inside my employer's LAN (also applies to www.google.co.uk) Actual results: The https traffic was intercepted by my lovely employer's IT department, who replaced the https certificate. So the connection was correctly flagged by Firefox as insecure. But instead of warning about a possible man-in-the-middle attack, Firefox said "The owner of www.mozilla.org has configured their website improperly" etc. Expected results: Firefox should have given a warning that did not include untrue statements about the owner of the website. Something like "Your connection to www.mozilla.org is not secure. This may be due to improper configuration of the website, or it may be due to interference with the internet traffic by a third party" - some wording that would avoid making untrue allegations (let's leave discussions about libel to the lawyers) about innocent website owners.
Component: Untriaged → Security: PSM
Product: Firefox → Core
I think we already have a bug like this but I can't find it right now. Basically, when Firefox can't verify a certificate, we don't know the exact root cause(s), so we punt and say, "eh, the server operator probably messed up". It's not clear that this is in fact the most common cause (other very common situations are incorrect client clock (although we do attempt to handle that) and intercepting proxy (which we make little effort to detect and/or handle, other than perhaps with captive portal detection)).
Component: Security: PSM → Security
Product: Core → Firefox
Summary: Insecure Connection message is incorrect → certificate error page text is misleading and/or incorrect in some cases
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1) > I think we already have a bug like this but I can't find it right now. Bug 1059185?
Severity: normal → trivial
(In reply to YF (Yang) from comment #2) > (In reply to David Keeler [:keeler] (use needinfo?) from comment #1) > > I think we already have a bug like this but I can't find it right now. > > Bug 1059185? I believe that bug is how we got to the current design, actually (which brings up the question of why it's still open).
Severity: trivial → enhancement
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.