Closed Bug 1440586 Opened 6 years ago Closed 6 years ago

Firefox 60 warns https-site with GeoTrust cert is not secure (Firefox 58 and Chrome do not)

Categories

(Core :: Security: PSM, defect)

60 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: nachtigall, Unassigned)

References

Details

Attachments

(1 file)

Attached image https-bug.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180223001838

Steps to reproduce:

Using Firefox 60 (current Nightly) go to https://woocommerce.com/ (or https://docs.woocommerce.com/)


Actual results:

I get a https warning saying "woocommerce.com is using an invalid security certificate". See attached screenshot.


Expected results:

I works fine in Firefox 58 stable release and in stable Chrome. So I assume this is rather a Nightly bug than a problem with the above site and its cert.

FWIW, I get the same cert warning using Nightly on Windows and Ubuntu 16.04
I see the same problem on other sites that are using certificates issued by "RapidSSL SHA256 CA - G3", chaining to (formerly Symantec's, now Digicert's) "GeoTrust Primary Certification Authority" root:

https://media0.giphy.com/media/Feyt5KoETnJDV4ERTz/giphy.gif

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIDCpiSMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNjAyMjgyMzM2MDRaFw0xOTAzMzExOTUxMTJaMBYxFDAS
BgNVBAMMCyouZ2lwaHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAunv3Z7XkmG7TuDFN+QsQ1FbXBQyaL9+ZnY1ZGVrsCY+rdjMWJxw9iODHkoZ+
4VR/rfWzITS1oHBDmprYpOJJpsB+3Tt59cugq0AAT4BzqTHwfGIFgS9EIsql7gdG
hQYTUby79UbXCxEnsT23jLTHj5R87ki/oF83AqikxNTlwhng1aFbTYIipr62AAm+
WDK3+hmUWl/yo6x4aWDRJ0fJTUyPGngpYJAyvVU5TGT2jlku4NexKHDxTxwMPF1F
pgmm9RnyUcMoCO4YqESpBm02SuB833r6fm7tjsyoCHxlKYOaiH3MviCsCnbY40Bb
6u4cAqDoO1lSKRO9afdcaVvyzQIDAQABo4IBTjCCAUowHwYDVR0jBBgwFoAUw5zz
/NNGCDS7zkZ/oHxb8+IIy1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNo
dHRwOi8vZ3Yuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2Iu
Y29tL2d2LmNydDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCEGA1UdEQQaMBiCCyouZ2lwaHkuY29tgglnaXBoeS5jb20wKwYD
VR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcmwwDAYDVR0T
AQH/BAIwADBBBgNVHSAEOjA4MDYGBmeBDAECATAsMCoGCCsGAQUFBwIBFh5odHRw
czovL3d3dy5yYXBpZHNzbC5jb20vbGVnYWwwDQYJKoZIhvcNAQELBQADggEBAElz
MNw7aTBJWkRA50DUkWYqovs4eWLy0+RYNIuRcq8Wb1F1aWcxYWw9MwKitBTePeP6
UXjg0Boz/8QTvMt4oR+1GxtYGPTHqzPGVXE6FSSlTLeUQ8qIkTenQ5ALr25yzZlX
zd7VkJYHkmpBal7pTlpZtNADl74xhyll5WE4xl6/CE+kr+JMWw1YEktmG4N+bXtU
/sU9keTW2U4fIgWqN0TJffD+hlbJ4xdmRDlJwNwU2fSk7kKp2CSs6BuXWRSvu4Vu
Pm2VLldcacvnKmtonLsJT5/XIqsx5M4Slpf73KIIdac8ZYrot5bBmbaqdTIjnmzF
UF5xzht9PHV53uK79KU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
This was likely caused by landing of bug 1434300. giphy.com is still affected (and is listed in bug 1434300 as one of the affected domains), while woocommerce.com seems to have already switched to a GoDaddy certificate.
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180301024724

Hello,

I have tested this issue on latest Nightly build 60.0a1 (2018-02-30) and could not reproduce it. I have accessed the provided links and worked as expected. I have also tested this using the version mentioned by Jens, Nightly 60.0a1 (2018-02-23), and could not reproduce it.

The strangest thing is that I've encountered the Giphy issue from comment 1 a few days ago, but I can no longer reproduce it on latest Nightly build 60.0a1 and not even on the build from 2018-02-23 or 2018-02-25.

Jens, can you please retest this issue on latest Nightly (60.0a1) build using a new clean Firefox profile and see if is still reproducible on your side?
Component: Untriaged → Security: PSM
Flags: needinfo?(nachtigall)
Product: Firefox → Core
Yeah, I think both sites (woocommerce and giphy) changed their https certificate in the meantime. So I am closing because I think there's nothing actionable to do for Firefox I think.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(nachtigall)
Resolution: --- → INVALID
https://www.spark.gov.in/webspark/ has the same issue. Works in chrome, fails in firefox.
It is failing in firefox 61, but working fine in firefox 62.b3
(In reply to Praveen A from comment #5)
> https://www.spark.gov.in/webspark/ has the same issue. Works in chrome,
> fails in firefox.

That server is not sending the appropriate intermediate certificates (that is, it is misconfigured). Chrome will attempt to fetch the intermediate from the CA, whereas Firefox does not (largely to protect your privacy, as doing this essentially leaks your browsing history to the CA).
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: