Closed Bug 1452899 Opened 8 years ago Closed 1 year ago

door-hanger "verified by" information doesn't always get changed when the server certificate changes

Categories

(Firefox :: Security, defect, P3)

Product:
Firefox
Component:
Security
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox132 --- fixed

People

(Reporter: support, Assigned: manuel)

References

Details

Attachments

(2 files)

FF-Branch-59.0.2-ssl-viewer-problem.png
303.89 KB, image/png
Details
Bug 1452899 - Update the certificate security info on changed certificate in url bar lock icon r=pbz
48 bytes, text/x-phabricator-request
Details | Review
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180327091415 Steps to reproduce: i visited https://potyka.com/ This is just a minor glitch, but very irritating if you just switched ssl certs on a site and your browser does tell you otherwise :D Actual results: The site first HAD a comodo signed certificate as i visited it. This got exchanged for a Lets Encrypt Cert while FF was open. NOW (after reloading the page) the FF build certificate viewer shows LE correctly, BUT the green lock left of the url still shows the cert as belonging to comodo. Picture is attached for illustration. Expected results: the info page about the ssl connection should have been updated on page reload, which it was not.
Component: Networking → Security: PSM
What happens if you shift-refresh? (i.e. clear the cache)
Flags: needinfo?(support)
no idea, that was 2 days and 3 reboots ago ;) TODAY it shows the right CA right up front. Reloads seems to skip refreshing the cache info that gets used by the green lock info text.
Flags: needinfo?(support)
Hmmm - doesn't seem to be related to the cache (as far as my tests have shown). In any case, from what I've seen this is an issue with the door-hanger not updating at the right times. (An easy way to test this is to have two different CA -> EE pairs (generate with openssl or pycert or something). Import/trust the roots, then alternate between the two EEs in `openssl s_server -cert {certX.pem} -key {keyX.pem} -WWW`.)
Component: Security: PSM → Security
Product: Core → Firefox
Summary: SSL cert informations are not updated on page reload → door-hanger "verified by" information doesn't always get changed when the server certificate changes
So this is changing your server certificate and then reloading the page while the doorhanger is still open? That doesn't sound like a terribly common use case.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
the "door hangar" ( what a name for the info field .. I suggest "TLS Banner" :) ) wasn't open, never said that. if you visit the site let's say at 10:00 and the cert gets replaced at 10:05 and your reload the page after 10:05, the door hangar still shows the old cert informations untill firefox gets restarted. It never updates it automatically. But i agree, not the worst firefox problem for most users. I on the other hand, got mad, because i thought my cert change did not work and debugged my webserver for a mistake, that wasn't his fault :D So, i think it should be fixed more sooner, than later.
Severity: normal → S3

I have accidentally filled a dupe for this with alternative STRs and some insights: bug 1903240. (I wonder how I could have missed this report.)

So this is changing your server certificate and then reloading the page while the doorhanger is still open?

Not doorhanger, but the page in concrete tab. It may be the once rendered doorhanger is just not re-rendered with new data, unless some other tab renders another doorganger (at least symptoms indicate it might be something like this).

I on the other hand, got mad, because i thought my cert change did not work and debugged my webserver for a mistake, that wasn't his fault

This is basically my case as well, just been messing with "MITM" (Fiddler) proxy and got pretty scared when Fx kept telling me that reloaded page still uses fake "DO_NOT_TRUST" authority, even after returning back to normal connection.

Duplicate of this bug: 1903240
Priority: P5 → P3

The alternative approach would be to also check whether the cert changed
using gBrowser.securityUI.secInfo.serverCert. However, caching the
security information doesn't seem worth the effort here, because it only
applies when the url is exactly the same (uri.spec). And checking
whether the cert is exactly the same looks more expensive to do each
time vs the slim benefit of rarly not needing to update the UI.

Assignee: nobody → manuel
Status: NEW → ASSIGNED
Attachment #9408880 - Attachment description: Bug 1452899 - Update the certificate security info on changed certificate in url bar lock icon r=#anti-tracking → Bug 1452899 - Update the certificate security info on changed certificate in url bar lock icon r=pbz
Pushed by mbucher@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5a295fa44a48 Update the certificate security info on changed certificate in url bar lock icon r=pbz

https://hg.mozilla.org/mozilla-central/rev/5a295fa44a48

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox132: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: