Closed
Bug 1441906
Opened 7 years ago
Closed 6 years ago
improve discoverability of additional debugging information in certificate error pages
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1484873
People
(Reporter: dholbert, Unassigned)
Details
STR:
1. Visit https://app.bill.com/ in Firefox Nightly.
(This triggers a cert error page right now, which is bug 1441515 -- I imagine that'll change at some point, but for now it works to test this bug.)
2. See if you can figure out how to view the site's SSL certificate.
- In particular: click "Advanced" on the error page. [Dead end.]
- ...or click the site info button (left end of URLBar) and click ">" and then "more information" and then "View Certificate" [No effect.]
ACTUAL RESULTS:
I can't figure out a way to view the cert.
- "Advanced" doesn't give me an "Add Exception..." option in this case (which would normally show the cert), because there is HSTS which prevents exceptions.
- The Site Info "more info" dialog seems to have bogus/empty data (and its View Certificate button does nothing as a result).
So in practice, it seems like there's no way to view this cert to diagnose the issue when this sort of HTTPS error happens...
EXPECTED RESULTS:
Some reasonable way to view the certificate.
Reporter | ||
Comment 1•7 years ago
|
||
Ah, looks like this is a duplicate of bug 943937. (Quite similar to bug 1331117 which is marked as a dupe.)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 2•7 years ago
|
||
It's not quite the same as bug 943937. What we call "non-overridable certificate errors" are things like revocation, pinning mismatches, etc.. For "overridable certificate errors" in HSTS hosts, we actually use the same error page UI but disable the "add override" button (because it wouldn't ultimately do anything). In those cases, if you click the error code, additional debugging information will come up, including the encoded certificate chain. Since it's not decoded, though, you would have to use another tool to look at it. So, I think we're lacking in two areas here: 1. the discoverability of the debugging information is low and 2. a blob of encoded certificates isn't that informative without some additional tooling. I'll morph this bug into part 1 and file another for 2.
Blocks: better-cert-errors
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: No functional "View Certificate" button is available, if the cert is invalid and the site uses HSTS → improve discoverability of additional debugging information in certificate error pages
Comment 3•7 years ago
|
||
Maybe worth aiming to fix in 60 given the Symantec distrust process in play and that we may hear from a lot of users in beta 60 and after release.
status-firefox60:
--- → affected
tracking-firefox60:
--- → +
Reporter | ||
Comment 4•7 years ago
|
||
Note: as of bug 1437754, you now have to set the pref security.pki.distrust_ca_policy = 1 in order to trigger this issue.
Comment 5•7 years ago
|
||
This sounds like it would require UI changes, so likely not something for beta.
Updated•6 years ago
|
Comment 6•6 years ago
|
||
Wennie, could we get a priority set on this bug in your next triage? Is that still an issue with all the recent work that was done on improving the UX of cert error pages? Thanks
Hi Johann, please comment on priority on this. thanks!
Flags: needinfo?(wleung) → needinfo?(jhofmann)
Comment 8•6 years ago
|
||
This is just a dupe of bug 1484873 and it works now (there's a "View Certificate" button on the new error pages, even for HSTS) :)
Status: REOPENED → RESOLVED
Closed: 7 years ago → 6 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → DUPLICATE
Updated•6 years ago
|
No longer blocks: better-cert-errors
You need to log in
before you can comment on or make changes to this bug.
Description
•