1449693 - After update, security lock and certificate say site insecure and data can be altered

Status: RESOLVED WORKSFORME

(Core :: Security, defect)

Description

[ronstinger]

Attachment: FirefoxAlertdetail.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323154952

Steps to reproduce:

The last two times I have updated Firefox, the security lock in the address bar shows insecure content and the detailed page says weak encryption, traffic can be intercepted and altered for my web site www.classroomechanics.com.  Then a few days later (maybe after I delete my web sites cookie), it shows green and secure again.


Actual results:

Security indicator in the address bar shows in secure.  See these screenshots:

https://snag.gy/LN3tZK.jpg

https://snag.gy/EsFLYl.jpg


Expected results:

Should show green and secure.

Comment 1

[Daniel Veditz [:dveditz]]

Site looks fine to me, I cannot reproduce your screenshots. I can get to your log in page from the site menus, but the URL in the screenshot shows redirect parameters that I can't see so you got there differently than I did. I doubt that makes a difference but if it does I was not able to test it.

In the web console several insecurely-loaded font files are blocked -- you should fix those (change http: to https:), but those don't affect the security state of the page because we have blocked them.

Comment 2

[ronstinger]

Thanks for having a look Daniel.  As I mentioned, it seems to happen immediately after a firefox update, but then it disappears a few days later and I have the green lock.  Not sure why there is that difference.  One thing that may have occurred is that I sometimes clean out my cookies when I am working on my site, and maybe that makes a difference.  Also, I did not note the redirect before.  I will try and capture that info in the future.

Not sure when the next version of FF is do out, but if we can leave this open until then OR if I can reactivate it at that time, let's sit on it.

Comment 3

[ronstinger]

Hi Again Daniel,

It is happening again, and this time without an update to firefox and no change of cookie. It seems to be primarily on the login page of my site.  i just tried it again and it is not happening now.  No changes on my end, I just tried one more time, and the green lock is there.  I find it odd that it is intermittent.  

BTW, here is the full redirect URL:
https://www.classroomechanics.com/login/?redirect_to=https%3A%2F%2Fwww.classroomechanics.com%2Fwp-admin%2F&reauth=1

Here are some screenshots taken while it happened:
General message
https://snag.gy/Vryvxk.jpg

Detailed message
https://snag.gy/Ge2D4y.jpg

non-redirect general message
https://snag.gy/3OacxY.jpg

non-redirect detailed message
https://snag.gy/sC5UlT.jpg

My site uses a Let's Encrypt certificate, which most of the time seems fine and gives me the green lock.  I have no idea why it occasionally gives me this broken encryption message.

Is it possible that someone is messing with the traffic to my web site?  Would it throw this insecure connection message if the traffic had been tampered with?

Thanks,
Aaron

Comment 4

[ronstinger]

Just for grins, I went to my site again and captured the info when the lock is green to compare.  Basically, it looks like the "verified by" section is different.  On the insecure site, it says "not specified" while on the green lock, secure site, it says "Let's Encrypt."

Here are the screen shots of the green lock info:
Green lock General message 1
https://snag.gy/rPjVNT.jpg

Green lock General message 2
https://snag.gy/I3dahP.jpg

Green lock detailed message
https://snag.gy/u56poL.jpg

Is someone spoofing a certificate on the insecure site???  Is that why it says insecure and is NOT verified while the secure site says verified by "Let's Encrypt"?  

I have read certificate spoofing can be done.
https://www.motherjones.com/politics/2013/09/flying-pig-nsa-impersonates-google/

It might explain the intermittent issues with the security.  Supposedly my certificate is good until July 2018 according to the site info in the image.

Anyway, i am trying to get to the bottom of this weirdness as it is disconcerting to read that I have broken encryption.

Thanks,
Aaron

Comment 5

[ronstinger]

Hello,
This is a continuation of a previous bug - Bug 1449693

I have visited my site (classroomechanics.com) several times in the past few days and have continued to receive mixed lock responses.  The issue seems to be whether the certificate is "verfied" by Let's Encrypt or not.  I noted all seems fine on another site of mine WITH THE SAME HOST (landsremote.com) that also uses a Let's Encrypt certificate.

Check out these screenshots:

https://snag.gy/kXeRwJ.jpg - landsremote.com with green lock and Let's Encrypt verification

https://snag.gy/jyh48E.jpg - Shows let's encrypt verfication

https://snag.gy/E1bKz6.jpg - Shows classroomechanics.com with yellow lock and broken encryption, no verified by info

https://snag.gy/rE8AM7.jpg - Shows same site a few minutes later with green lock and verified by Let's Encrypt

snag.gy BTW is a site for safe sharing of screenshots.

So why is the one site only irregularly show verification by Let's Encrypt and the other is fine?  If I dig into the details of the certificate, it does say Let's Encrypt, but can't seem to do the verification.  What is Firefox doing in the background to check the verification?  Whatever it is seems to work only intermittently.

Can you let me know about this?

Thanks Aaron

Comment 6

[Dana Keeler (she/her) [:keeler]]

Is this still an issue? I can't reproduce the issue you're seeing on classroomechanics.com.

Comment 8

[ronstinger]

Does not appear to be.  I have not seen the insecure connection symbol in a little while.  Thanks for following up.

Comment 9

[Dana Keeler (she/her) [:keeler]]

Great - thanks!