Open Bug 1457557 Opened 6 years ago Updated 2 years ago

Describing mixed content as "broken encryption" is surprising

Categories

(Firefox :: Page Info Window, defect)

59 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: tdsmith, Unassigned)

Details

Attachments

(4 files)

Attached image Page Info security tab
While browsing I noticed that my address bar contained the yellow-warning-sign-lock icon. I clicked into the security tab of the page info to find out why, and was surprised to see the screen on the left, saying "Broken encryption (totally_reasonable_cipher_suite)". It took me a while to realize that this was a description of the mixed passive content on the page and not a problem with the cipher suite. (The dialog box on the right shows that another site with the same cipher suite is not recognized as broken.)

I don't think the language in the dialog box correctly represents the hazards about mixed passive content, and I think the close association of "broken encryption" with the cipher suite misleadingly implies that the cipher suite is the identified problem.
Hm, we have a dedicated mixed encryption copy and it works for me on https://mixed.badssl.com. Can you please try it on https://mixed.badssl.com in your browser and maybe with a new profile?

https://searchfox.org/mozilla-central/rev/68fdb6cf4f40bea1a1f6c07531ebf58fb8ab060b/security/manager/locales/en-US/chrome/pippki/pippki.properties#106
Status: NEW → UNCONFIRMED
Ever confirmed: false
Flags: needinfo?(tdsmith)
Works fine on fivethirtyeight for me, too (though it's weird how they have HTTPS not on their front page). What version of Firefox is this on?
This is looking weirder than I thought; sorry! I do indeed see the right copy at mixed.badssl.com.

On 538, I get a green lock for 60 seconds, and then the lock icon switches to the degraded mode. If I have the devtools network panel open, I see a request to Facebook (a POST to https://www.facebook.com/ajax/bz) firing at the 60 second mark (but if the devtools toolbox is open, the green lock icon does not change).

Firefox is 59.0.2 (64-bit) on OS X 10.13.4.

This happens reliably on my usual profile but I can't reproduce on a clean profile. I use Facebook Container and uBlock Origin, but installing those into the test profile and being logged into Facebook or not in the container doesn't seem to make a difference.
Flags: needinfo?(tdsmith)
Phew, that's quite tricky. Do you get any error logged in the devtools console or the browser console? https://developer.mozilla.org/en-US/docs/Tools/Browser_Console
Attached image broken-encryption.png
Security technical details showing broken encryption.
Devtools showing an insecure connection for a Websocket connection.
Websocket connection failure showing in the console.
I did have the same misleading message running Firefox 60.2.0esr (64-bit). In this case it seems a Websocket connection failed to establish leading to this message showing.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: