Closed Bug 1441906 Opened 3 years ago Closed 2 years ago

improve discoverability of additional debugging information in certificate error pages

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1484873
Tracking Status
firefox60 + wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- affected

People

(Reporter: dholbert, Unassigned)

Details

STR:
 1. Visit https://app.bill.com/ in Firefox Nightly.
(This triggers a cert error page right now, which is bug 1441515 -- I imagine that'll change at some point, but for now it works to test this bug.)

 2. See if you can figure out how to view the site's SSL certificate.
  - In particular: click "Advanced" on the error page. [Dead end.]
  -  ...or click the site info button (left end of URLBar) and click ">" and then "more information" and then "View Certificate" [No effect.]

ACTUAL RESULTS:
I can't figure out a way to view the cert.
 - "Advanced" doesn't give me an "Add Exception..." option in this case (which would normally show the cert), because there is HSTS which prevents exceptions.
 - The Site Info "more info" dialog seems to have bogus/empty data (and its View Certificate button does nothing as a result).

So in practice, it seems like there's no way to view this cert to diagnose the issue when this sort of HTTPS error happens...

EXPECTED RESULTS:
Some reasonable way to view the certificate.
Ah, looks like this is a duplicate of bug 943937.  (Quite similar to bug 1331117 which is marked as a dupe.)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 943937
It's not quite the same as bug 943937. What we call "non-overridable certificate errors" are things like revocation, pinning mismatches, etc.. For "overridable certificate errors" in HSTS hosts, we actually use the same error page UI but disable the "add override" button (because it wouldn't ultimately do anything). In those cases, if you click the error code, additional debugging information will come up, including the encoded certificate chain. Since it's not decoded, though, you would have to use another tool to look at it. So, I think we're lacking in two areas here: 1. the discoverability of the debugging information is low and 2. a blob of encoded certificates isn't that informative without some additional tooling. I'll morph this bug into part 1 and file another for 2.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: No functional "View Certificate" button is available, if the cert is invalid and the site uses HSTS → improve discoverability of additional debugging information in certificate error pages
Maybe worth aiming to fix in 60 given the Symantec distrust process in play and that we may hear from a lot of users in beta 60 and after release.
Note: as of bug 1437754, you now have to set the pref security.pki.distrust_ca_policy = 1 in order to trigger this issue.
This sounds like it would require UI changes, so likely not something for beta.
Wennie, could we get a priority set on this bug in your next triage? Is that still an issue with all the recent work that was done on improving the UX of cert error pages? Thanks

Hi Johann, please comment on priority on this. thanks!

Flags: needinfo?(wleung) → needinfo?(jhofmann)

This is just a dupe of bug 1484873 and it works now (there's a "View Certificate" button on the new error pages, even for HSTS) :)

Status: REOPENED → RESOLVED
Closed: 3 years ago2 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → DUPLICATE
Duplicate of bug: 1484873
You need to log in before you can comment on or make changes to this bug.