Open
Bug 1457557
Opened 6 years ago
Updated 2 years ago
Describing mixed content as "broken encryption" is surprising
Categories
(Firefox :: Page Info Window, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: tdsmith, Unassigned)
Details
Attachments
(4 files)
While browsing I noticed that my address bar contained the yellow-warning-sign-lock icon. I clicked into the security tab of the page info to find out why, and was surprised to see the screen on the left, saying "Broken encryption (totally_reasonable_cipher_suite)". It took me a while to realize that this was a description of the mixed passive content on the page and not a problem with the cipher suite. (The dialog box on the right shows that another site with the same cipher suite is not recognized as broken.) I don't think the language in the dialog box correctly represents the hazards about mixed passive content, and I think the close association of "broken encryption" with the cipher suite misleadingly implies that the cipher suite is the identified problem.
Comment 1•6 years ago
|
||
Hm, we have a dedicated mixed encryption copy and it works for me on https://mixed.badssl.com. Can you please try it on https://mixed.badssl.com in your browser and maybe with a new profile? https://searchfox.org/mozilla-central/rev/68fdb6cf4f40bea1a1f6c07531ebf58fb8ab060b/security/manager/locales/en-US/chrome/pippki/pippki.properties#106
Status: NEW → UNCONFIRMED
Ever confirmed: false
Flags: needinfo?(tdsmith)
Comment 2•6 years ago
|
||
Works fine on fivethirtyeight for me, too (though it's weird how they have HTTPS not on their front page). What version of Firefox is this on?
Reporter | ||
Comment 3•6 years ago
|
||
This is looking weirder than I thought; sorry! I do indeed see the right copy at mixed.badssl.com. On 538, I get a green lock for 60 seconds, and then the lock icon switches to the degraded mode. If I have the devtools network panel open, I see a request to Facebook (a POST to https://www.facebook.com/ajax/bz) firing at the 60 second mark (but if the devtools toolbox is open, the green lock icon does not change). Firefox is 59.0.2 (64-bit) on OS X 10.13.4. This happens reliably on my usual profile but I can't reproduce on a clean profile. I use Facebook Container and uBlock Origin, but installing those into the test profile and being logged into Facebook or not in the container doesn't seem to make a difference.
Flags: needinfo?(tdsmith)
Comment 4•6 years ago
|
||
Phew, that's quite tricky. Do you get any error logged in the devtools console or the browser console? https://developer.mozilla.org/en-US/docs/Tools/Browser_Console
Comment 5•6 years ago
|
||
Security technical details showing broken encryption.
Comment 6•6 years ago
|
||
Devtools showing an insecure connection for a Websocket connection.
Comment 7•6 years ago
|
||
Websocket connection failure showing in the console.
Comment 8•6 years ago
|
||
I did have the same misleading message running Firefox 60.2.0esr (64-bit). In this case it seems a Websocket connection failed to establish leading to this message showing.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•