Closed
Bug 1368523
Opened 7 years ago
Closed 7 years ago
Revoked certificates are accepted by Firefox [regression]
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | affected |
People
(Reporter: bugzilla, Unassigned)
References
Details
(Keywords: regression)
The Firefox nightly build is no longer rejecting security certificates that have been revoked. Last known good build 19/05/2017 (may be 25/05/2017 - see forum post, but I have only personally tested with the earlier build). Tested and confirmed not working correctly with Nightly build 29/05/2017. Windows 7 x64, using 64 bit build. There is a brief discussion here: http://forums.mozillazine.org/viewtopic.php?f=23&t=3030715 STR: Using a recent nightly build, go to the following URL: https://freshproducegroup.us Expected results: The page should not load and the user should get a "SEC_ERROR_REVOKED_CERTIFICATE" error. Actual results: The page loads fine as if nothing is wrong. Other information: Going to "https://revoked.badssl.com/" gets the require error, so the issue must be specific to this site's certificate chain. There are no security relevant errors in the console when loading the page.
Reporter | ||
Comment 1•7 years ago
|
||
Update... When reverting back to my previous build (19th May), the site is still not blocked (note; I have double checked on sslabs.com and a certificate in the chain is showing as revoked).
Comment 2•7 years ago
|
||
It is expected since bug 1366100 disabled OCSP for non-EV certificate.
Comment 3•7 years ago
|
||
I can confirm this issue, setting to NEW Tried Mozregression but failed trying to get following builds, log from Mozregress: 2017-05-29T08:25:26: INFO : Narrowed inbound regression window from [f7adbf45, c2ff59dd] (4 revisions) to [55e5723b, c2ff59dd] (2 revisions) (~1 steps left) 2017-05-29T08:25:26: DEBUG : Starting merge handling... 2017-05-29T08:25:26: DEBUG : Using url: https://hg.mozilla.org/mozilla-central/json-pushes?changeset=c2ff59dd31bce41bc9108939e86618017943b88d&full=1 2017-05-29T08:25:28: DEBUG : Found commit message: servo: Merge #17039 - Update openssl source download location (from servo:jdm-patch-1); r=nox The openssl.org webpage has been reorganized and the old URL no longer works. So need help in finding final bug which changed the behavior.
Keywords: regression,
regressionwindow-wanted
Comment 4•7 years ago
|
||
(In reply to Franck (Wip) from comment #2) > It is expected since bug 1366100 disabled OCSP for non-EV certificate. Somehow that just does not feel right. Other browsers , IE 11 and Edge block on the 'revoked' cert and what if a malicious site purposelessly sets up a site with an revoked cert - Firefox users will sail right on in...
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 5•7 years ago
|
||
Without wishing to get into a big debate on a bug ticket, I think you should reconsider switching that check off by default. Checking for revoked security certificates is very important and simply skipping it because it adds a small performance hit is not really a satisfactory justification. You might as well remove all security checks if you are going to say performance is more important than security. It is also inconsistent from a user experience perspective... If the check is on, it is considered sufficiently important that the user is not given an override on the error page. However, the new default setting means that from Mozilla's perspective, the check is not considered important. If this is the case, then the user should be able to override this error if they come across it on EV certificates, or indeed DV ones if they have changed this setting back.
Comment 6•7 years ago
|
||
last good: autoland changeset db097ec51f62 first bad: autoland changeset 247e0aab1a84
Keywords: regressionwindow-wanted
Updated•7 years ago
|
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox55:
--- → affected
Comment 7•7 years ago
|
||
This article provides good background for this issue: https://www.imperialviolet.org/2014/04/19/revchecking.html Long story short is active OCSP doesn't prevent attacks, it makes the TLS handshake slower, and there are some privacy concerns. Consequently, we're experimenting with disabling it. Since revocation is sometimes essential, Mozilla has a mechanism similar to Chrome's CRLSets (we call it OneCRL).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•