Closed Bug 1450784 Opened 2 years ago Closed 2 years ago

Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED

Categories

(Firefox :: Security, enhancement, P1)

enhancement

Tracking

()

VERIFIED FIXED
Firefox 66
Tracking Status
firefox65 --- verified
firefox66 --- verified

People

(Reporter: bugzillaPost120030in, Assigned: johannh)

References

(Blocks 1 open bug)

Details

User Story

Copy: https://docs.google.com/document/d/18mKAiSSLRTVcjJ1C9rIMQRnQ7eMwqqXPPN0xIyW6DDI/edit?ts=5bbbb54b#heading=h.mcadi4jcfgzg

Attachments

(1 file)

I get this message erroneously:

>Your connection is not secure

>The owner of www.youtube.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

>This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may 
only connect to it securely. As a result, it is not possible to add an exception 
for this certificate.

>www.youtube.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
(The error code is clickable, but brings up the text of the cert, not something useful. )

The message says things that **aren't true**. I installed Kaspersky and it's causing this.  We have a useful page for helping folks understand and address this problem, at https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER ,  but we're not directing folks to it.

It's NOT TRUE that "The owner of www.youtube.com has configured their website improperly."

Looking in comm-central, it looks like the error message is in 3 places, currently :
https://dxr.mozilla.org/comm-central/search?q=The+owner+of+has+configured+their+website+improperly.&redirect=false ; so I'm not sure which component to file this under; making a guess at an appropriate initial choice.

I'm not sure if that troubleshooting page covers all reasons for seeing the "The owner of <span class='hostname'/> has configured their website improperly.  To protect your information from being stolen, &brandShortName; has not connected to this website.">" I propose changing it to something like 

It seems that the owner of <span class='hostname'/> has configured their website improperly.  To protect your information from being stolen, &brandShortName; has not connected to this website.  To troubleshoot this error, [see this support article].">

A smaller but perhaps also appropriate change would be to have the SEC_ERROR_UNKNOWN_ISSUER text link to the support article instead of do what it currently does.
Moving to an appropriate component so it can be triaged. I think there are existing bugs on this, but from a cursory search I couldn't find anything.
Component: Security: Review Requests → Security: PSM
Product: Firefox → Core
All text changes are Firefox security now and not PSM. There's bug 1442203 to track progress of improving error pages.
Note that HSTS trumps any other error like unknown issuer because Firefox knows that there's a good cert for that page. I don't think this should change. That said with the new man-in-the-middle detection we might want to give that priority over HSTS.
Component: Security: PSM → Security
We have sufficient indication from Telemetry that MOZILLA_PKIX_ERROR_MITM_DETECTED is catching quite a bunch of sites and would like to start warning users when they hit an MitM induced error.

https://mzl.la/2NzmHrI
Priority: -- → P2
Summary: Error message should be more useful when AV is interfering with SSL connections. → Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED
User Story: (updated)
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: P2 → P1
Just confirming you're able to review. Thank you!
Flags: needinfo?(nhnt11)
Nihanth already reviewed
Flags: needinfo?(nhnt11)
Attachment #9027455 - Attachment description: Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,franziskus,keeler → Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/05e25df4db43
Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8c51ad4a6b72
Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
https://hg.mozilla.org/mozilla-central/rev/8c51ad4a6b72
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
Flags: needinfo?(jhofmann)
Target Milestone: Firefox 65 → Firefox 66
Duplicate of this bug: 1241065

Both certificates Bypassable and Non-Bypassable error certificates Verified on following Nightly build:

Build ID 20190117095319
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Verified on the following build.
Build ID 20181207093029
User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0

Status: RESOLVED → VERIFIED
Duplicate of this bug: 1420779
You need to log in before you can comment on or make changes to this bug.