Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED

VERIFIED FIXED in Firefox 65

Status

()

enhancement
P1
normal
VERIFIED FIXED
a year ago
25 days ago

People

(Reporter: bugzillaPost120030in, Assigned: johannh)

Tracking

(Blocks 1 bug)

unspecified
Firefox 66
Points:
---

Firefox Tracking Flags

(firefox65 verified, firefox66 verified)

Details

User Story

Copy: https://docs.google.com/document/d/18mKAiSSLRTVcjJ1C9rIMQRnQ7eMwqqXPPN0xIyW6DDI/edit?ts=5bbbb54b#heading=h.mcadi4jcfgzg

Attachments

(1 attachment)

(Reporter)

Description

a year ago
I get this message erroneously:

>Your connection is not secure

>The owner of www.youtube.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

>This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may 
only connect to it securely. As a result, it is not possible to add an exception 
for this certificate.

>www.youtube.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
(The error code is clickable, but brings up the text of the cert, not something useful. )

The message says things that **aren't true**. I installed Kaspersky and it's causing this.  We have a useful page for helping folks understand and address this problem, at https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER ,  but we're not directing folks to it.

It's NOT TRUE that "The owner of www.youtube.com has configured their website improperly."

Looking in comm-central, it looks like the error message is in 3 places, currently :
https://dxr.mozilla.org/comm-central/search?q=The+owner+of+has+configured+their+website+improperly.&redirect=false ; so I'm not sure which component to file this under; making a guess at an appropriate initial choice.

I'm not sure if that troubleshooting page covers all reasons for seeing the "The owner of <span class='hostname'/> has configured their website improperly.  To protect your information from being stolen, &brandShortName; has not connected to this website.">" I propose changing it to something like 

It seems that the owner of <span class='hostname'/> has configured their website improperly.  To protect your information from being stolen, &brandShortName; has not connected to this website.  To troubleshoot this error, [see this support article].">

A smaller but perhaps also appropriate change would be to have the SEC_ERROR_UNKNOWN_ISSUER text link to the support article instead of do what it currently does.
Moving to an appropriate component so it can be triaged. I think there are existing bugs on this, but from a cursory search I couldn't find anything.
Component: Security: Review Requests → Security: PSM
Product: Firefox → Core
All text changes are Firefox security now and not PSM. There's bug 1442203 to track progress of improving error pages.
Note that HSTS trumps any other error like unknown issuer because Firefox knows that there's a good cert for that page. I don't think this should change. That said with the new man-in-the-middle detection we might want to give that priority over HSTS.
Component: Security: PSM → Security
Component: Security → Security
Product: Core → Firefox
(Assignee)

Comment 3

6 months ago
We have sufficient indication from Telemetry that MOZILLA_PKIX_ERROR_MITM_DETECTED is catching quite a bunch of sites and would like to start warning users when they hit an MitM induced error.

https://mzl.la/2NzmHrI
Priority: -- → P2
Summary: Error message should be more useful when AV is interfering with SSL connections. → Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED
(Assignee)

Updated

6 months ago
User Story: (updated)
(Assignee)

Updated

5 months ago
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: P2 → P1
Just confirming you're able to review. Thank you!
Flags: needinfo?(nhnt11)
(Assignee)

Comment 6

5 months ago
Nihanth already reviewed
Flags: needinfo?(nhnt11)
Attachment #9027455 - Attachment description: Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,franziskus,keeler → Bug 1450784 - Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler

Comment 7

5 months ago
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/05e25df4db43
Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler

Comment 9

5 months ago
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8c51ad4a6b72
Add a new error page for MOZILLA_PKIX_ERROR_MITM_DETECTED. r=nhnt11,keeler

Comment 10

5 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8c51ad4a6b72
Status: ASSIGNED → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
(Assignee)

Updated

4 months ago
Flags: needinfo?(jhofmann)
Target Milestone: Firefox 65 → Firefox 66

Updated

3 months ago
Duplicate of this bug: 1241065

Comment 12

3 months ago

Both certificates Bypassable and Non-Bypassable error certificates Verified on following Nightly build:

Build ID 20190117095319
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Updated

3 months ago

Comment 13

3 months ago

Verified on the following build.
Build ID 20181207093029
User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0

Updated

3 months ago
Status: RESOLVED → VERIFIED
(Assignee)

Updated

25 days ago
Duplicate of this bug: 1420779
You need to log in before you can comment on or make changes to this bug.