Closed Bug 1450784 Opened 3 years ago Closed 2 years ago
Add a new error page for MOZILLA
_PKIX _ERROR _MITM _DETECTED
47 bytes, text/x-phabricator-request
|Details | Review|
I get this message erroneously: >Your connection is not secure >The owner of www.youtube.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. >This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate. >www.youtube.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER (The error code is clickable, but brings up the text of the cert, not something useful. ) The message says things that **aren't true**. I installed Kaspersky and it's causing this. We have a useful page for helping folks understand and address this problem, at https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER , but we're not directing folks to it. It's NOT TRUE that "The owner of www.youtube.com has configured their website improperly." Looking in comm-central, it looks like the error message is in 3 places, currently : https://dxr.mozilla.org/comm-central/search?q=The+owner+of+has+configured+their+website+improperly.&redirect=false ; so I'm not sure which component to file this under; making a guess at an appropriate initial choice. I'm not sure if that troubleshooting page covers all reasons for seeing the "The owner of <span class='hostname'/> has configured their website improperly. To protect your information from being stolen, &brandShortName; has not connected to this website.">" I propose changing it to something like It seems that the owner of <span class='hostname'/> has configured their website improperly. To protect your information from being stolen, &brandShortName; has not connected to this website. To troubleshoot this error, [see this support article]."> A smaller but perhaps also appropriate change would be to have the SEC_ERROR_UNKNOWN_ISSUER text link to the support article instead of do what it currently does.
Moving to an appropriate component so it can be triaged. I think there are existing bugs on this, but from a cursory search I couldn't find anything.
Component: Security: Review Requests → Security: PSM
Product: Firefox → Core
All text changes are Firefox security now and not PSM. There's bug 1442203 to track progress of improving error pages. Note that HSTS trumps any other error like unknown issuer because Firefox knows that there's a good cert for that page. I don't think this should change. That said with the new man-in-the-middle detection we might want to give that priority over HSTS.
Component: Security: PSM → Security
Product: Core → Firefox
We have sufficient indication from Telemetry that MOZILLA_PKIX_ERROR_MITM_DETECTED is catching quite a bunch of sites and would like to start warning users when they hit an MitM induced error. https://mzl.la/2NzmHrI
Priority: -- → P2
Summary: Error message should be more useful when AV is interfering with SSL connections. → Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: P2 → P1
Just confirming you're able to review. Thank you!
Nihanth already reviewed
Attachment #9027455 - Attachment description: Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,franziskus,keeler → Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/05e25df4db43 Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
Backed out for failing bc at browser/base/content/test/static/browser_misused_characters_in_strings.js Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&selectedJob=215446843&revision=05e25df4db432b6f877658287774d52adf758c43 Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=215446843&repo=mozilla-inbound&lineNumber=1813 Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/3285b6018d3aa3d02e8a1f4b359e3aaeab58d8d2
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8c51ad4a6b72 Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler
You need to log in before you can comment on or make changes to this bug.