[meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement

NEW
Unassigned

Status

P1
normal
7 months ago
a month ago

People

(Reporter: kwilson, Unassigned)

Tracking

({site-compat})

unspecified
Unspecified
All
site-compat

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 affected)

Details

(Reporter)

Description

7 months ago
Bug #1460062 implements the distrust of any TLS certificate that chains up to an old Symantec root, regardless of when it was issued.

Reference:
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/

On August 14, 2018, users of Firefox Nightly (FF 63) started getting the MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED for websites whose SSL certificates still chain up to the old Symantec root certs

The purpose of this bug is for Firefox Nightly users to report the websites for which they run into this error, rather than filing a bug for each problematic site.
(Reporter)

Comment 1

7 months ago
I have closed Bug #1436062, since it was in regards to the previous phase of the distrust of the old Symantec roots.

Here's a list of the sites that were reported in that bug, but are in regards to the current phase.


https://www.orange.fr/
https://www.hsbc.fr
https://my.ebay.co.uk/
https://www.johnlewis.com/
https://www.pcworld.co.uk/
https://www.currys.co.uk/
https://www.southwesttrains.co.uk/
https://home.bt.com/
https://www.o2.co.uk/
https://oyster.tfl.gov.uk/
odeon.co.uk
cineworld.co.uk
myvue.com
https://www.mcdonalds.com
https://www.addisonlee.com/
https://uk.lush.com/
https://www.free.fr/
https://www.republicservices.com/
bofa online banking billpay page
(Reporter)

Updated

7 months ago
Duplicate of this bug: 1483413

Comment 3

7 months ago
important
Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the warnings presented when accessing about:config.

Comment 4

7 months ago
paypal is also affected, rather major bug
https://www.etymonline.com/

Is one I just ran into.

Comment 10

7 months ago
https://bahn.de (one of the biggest (probably the biggest?) public transport providers in Germany)
Duplicate of this bug: 1483734
https://scgi.ebay.com.au (e.g. serving verification codes for form submission)
Screenshot: https://screenshots.firefox.com/UJZpXJEAuTyvCgZS/contact.ebay.com.au
See Also: → bug 1409257

Comment 14

7 months ago
Add https://secure.osp.ovh.com/ to the list.

Updated

7 months ago
Duplicate of this bug: 1484426
https://netvibes.com is broken because cdn.netvibes.com uses a Symantec certificate.
(Reporter)

Updated

7 months ago
Assignee: nobody → nobody
Component: CA Certificates Code → Desktop
Product: NSS → Tech Evangelism
Version: 3.35 → unspecified
(Reporter)

Comment 18

7 months ago
(In reply to Albert Scheiner [:alberts] from comment #12)
> 
> Should this bug rather life under "Tech Evangelism" as it is about something
> the owners of those sites have to change?

Good point. I updated the bug component/product.  Thanks.
Keywords: site-compat
2 of 4 Japanese major bank sites are blocked due to Symantec EV cert:

https://web.ib.mizuhobank.co.jp/
https://www.resonabank.co.jp/

Updated

7 months ago
Duplicate of this bug: 1484490

Updated

7 months ago
Duplicate of this bug: 1484546
Duplicate of this bug: 1484606

Comment 32

7 months ago
another affected site: https://www.docusign.net - still works on home page but after login not working anymore. --> https://na2.docusign.net/member/MemberLogin.aspx?ReturnUrl=/Member

Comment 37

7 months ago
https://www.surugabank.co.jp/ (Planning to fix the situation)
https://www.jcb.co.jp/ (Planning to fix the situation)
https://faq.jcb.co.jp/ (Planning to fix the situation)
https://jcb.custhelp.com/ (Planning to fix the situation)
https://www.okidokiland.com/
https://www2.cr.mufg.jp/
https://mail.ocn.ne.jp/
https://sp5971.jal.co.jp/
I know ebay is already in here for a bunch of domains, but there's also:

https://cgi5.ebay.com

Which seems to be used for selling items.

Also:

https://1eaf.cardinalcommerce.com/

Which was used by homedepot.com to do the verified by AmEx (and presumably verified by VISA) thing.

Comment 39

7 months ago
You can add the Playstation Store to the list of sites

https://store.playstation.com
Duplicate of this bug: 1484736
Ameriprise Financial login https://www.ameriprise.com/client-login/
Duplicate of this bug: 1485021

Comment 43

7 months ago
Navy Federal Credit Union's online Banking: https://myaccounts.navyfederal.org
First National Bank of Pennsylvania's online banking: https://banking.fnb-onlinebankingcenter.com

(the general sales-pitch landing page for both institutions is fine, it's just the online banking area that's using a Symantec cert in both cases)
Duplicate of this bug: 1485321
https://www.lhv.ee/ (Estonian bank heavily relying on online banking) fails as well.

Updated

7 months ago
Duplicate of this bug: 1485406

Comment 48

7 months ago
https://www.intel.co.jp/ (Intel Driver & Support Assistant Tray is affected)

Comment 50

7 months ago
I can not enter https://www.thesims3.com without getting this error and there is no option to add this public site to an exception list. I am using the Nightly browser.

Comment 51

7 months ago
add BMO Harris Bank bill pay to the list please

Comment 52

7 months ago
https://particuliers.societegenerale.fr/ (subdomain related to pictures and CSS)
Duplicate of this bug: 1485283
Comment hidden (offtopic)

Comment 55

7 months ago
https://www.horizonblue.com is another site affected by this.
Comment hidden (offtopic)

Updated

7 months ago
Duplicate of this bug: 1486041

Comment 63

7 months ago
https://www.miele.at/ (household appliances, Symantec cert)

A more tricky one is https://hotspot.t-mobile.net/TD/hotspot/MUC_Airport/en_GB/index.html which is the entrance page to free wifi at MUC airport (apparently the domain is only reachable from their wifi hotspots. but I guess T-Mobile Germany / Deutsche Telekom is the operator)

Updated

7 months ago
Duplicate of this bug: 1486222
https://www.arborday.org/
https://www.arbordayfarm.org/
https://www.liedlodge.org/

I messaged @arborday on Twitter, FWIW.
status-firefox61: --- → unaffected
status-firefox62: --- → unaffected
status-firefox63: --- → affected
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → unaffected
OS: Unspecified → All
Duplicate of this bug: 1486367

Comment 69

7 months ago
Got it this morning. I cannot access to paypal when I wanted to buy an album on Bandcamp. I had to use Chromium instead :(
(In reply to Frederic Bezies from comment #69)
> Got it this morning. I cannot access to paypal when I wanted to buy an album
> on Bandcamp. I had to use Chromium instead :(

as mentioned in comment 3 above

> Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. 
> Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the 
> warnings presented when accessing about:config.

alternatively you could use Firefox Beta or Developer Edition for the time being.

Comment 71

7 months ago
You can remove Com Bank from the list. I had a chat to them on Facebook and they have fixed the issue. Likely someone should reach out to orgs listed on this list and give them a gentle prod. Paypal and Ebay in particular. (I haven't needed to try Ebay but Paypal was out when I used it yesterday.)
(Reporter)

Comment 72

7 months ago
(In reply to Yani from comment #71)
> You can remove Com Bank from the list. I had a chat to them on Facebook and
> they have fixed the issue. Likely someone should reach out to orgs listed on
> this list and give them a gentle prod. Paypal and Ebay in particular. (I
> haven't needed to try Ebay but Paypal was out when I used it yesterday.)

Yani, Thank you for reaching out to the owner of a website, to let them know that they needed to update their SSL certs!

All, seems like a great idea to me... If you can reach out to the owners of the websites that you use, they might fix their webserver certs quickly. I suppose it is possible that owners of the smaller websites may not be aware that their sites are starting to break due to the planned distrust of the old Symantec roots.

Comment 73

7 months ago
I've reached out to a few:

ovh: No response
virgin money: They forwarded my request to another dept, no response since
nationwide: They said they have updates coming soon but didn't specify a date
odeon: Couldn't find an email to send to.
paypal: Got forwarded to another dept, no response since.
myvue: No response

It maybe the cynic in me but I'd bet that a large portion of the sites listed here will only replace their certs either just before this hits the stable channels (in chrome or firefox whichever comes first) or will panic once they get inundated by people complaining after it hits stable.

I also think this has already hit safari, my wife has an iPhone and myvue.com throws a security warning for her.

Comment 74

7 months ago
https://suchen.mobile.de/ is affected as well

Comment 76

7 months ago
https://www.agcom.it/

AGCOM is the italian communication authority. No response from their webmasters so far.
Duplicate of this bug: 1486708

Comment 80

7 months ago
(In reply to Florent from comment #68)
> https://www.oui.sncf/

I pinged Oui.SNCF on twitter about this and via a few internal contacts I have.

Wait'n see

Comment 83

7 months ago
German ISPs
https://www.netaachen.de/

https://account.1und1.de/
https://hilfe-center.1und1.de/

I tried to contact both of them. (We'll see, if they'll answer)

Comment 85

7 months ago
Don't know if they're listed but you can add:

https://www.pole-emploi.fr/accueil/ -> french employement services
https://www.cdiscount.com/ -> french Amazon like online shopping
(In reply to Frederic Bezies from comment #85)
> Don't know if they're listed but you can add:
> 
> https://www.pole-emploi.fr/accueil/ -> french employement services
> https://www.cdiscount.com/ -> french Amazon like online shopping

I contacted pole-emploi one week ago by email, the change is planned.

Comment 88

7 months ago
(In reply to Guillaume Démésy [:magsout] from comment #86)
> (In reply to Frederic Bezies from comment #85)
> > Don't know if they're listed but you can add:
> > 
> > https://www.pole-emploi.fr/accueil/ -> french employement services
> > https://www.cdiscount.com/ -> french Amazon like online shopping
> 
> I contacted pole-emploi one week ago by email, the change is planned.

Thanks for the info. Looks like a lot of sites are broken... When Mozilla Firefox 63 will be released, there is going to be a lot of shouting...

Comment 89

7 months ago
(In reply to Frederic Bezies from comment #88)
> Thanks for the info. Looks like a lot of sites are broken... When Mozilla
> Firefox 63 will be released, there is going to be a lot of shouting...

Maybe, esp. because those site will break in Chrome release just about at the same time:
"Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued." https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
So at least the shouting will not be about Mozilla/Firefox only, I hope, as AFAIK all major browser vendors will distrust Symantec at about the same time (Chrome Canary has the same "issues" as Firefox Nightly with this right now, from what I hear).
Also reproducible on the Help section of https://www.scottishpower.co.uk/

Comment 91

7 months ago
(In reply to Gingerbread Man from comment #65)
> https://mabanque.fortuneo.fr as per bug 1486222

Fortuneo acknowledged the issue and replied on twitter that SSL certificates update are planned soon :
https://twitter.com/fortuneo/status/1034708546364076032

(In reply to Florent from comment #80)
> (In reply to Florent from comment #68)
> > https://www.oui.sncf/
> 
> I pinged Oui.SNCF on twitter about this and via a few internal contacts I
> have.
> 
> Wait'n see

I also had feedback from Oui.SNCF. They are aware of the issue and an update with certificates issued by COMODO is planned in septembre.

Comment 92

7 months ago
Add https://www.leekunited.co.uk to the list. I've pinged them an email.

Comment 93

7 months ago
https://cnnindonesia.com (CNN Indonesia, the global CNN site uses GlobalSign certificate)

Comment 94

7 months ago
https://kemdikbud.go.id (Indonesia's Ministry of Education website)

Updated

7 months ago
Duplicate of this bug: 1487209
(In reply to rowan from comment #14)
> Add https://secure.osp.ovh.com/ to the list.

I contacted them by Twitter https://mobile.twitter.com/magsout/status/1031426967558647808
Comment hidden (offtopic)
I do not receive a certificate notice anymore on https://login.frontier.com/webmail on Windows computer but I still get a warning with my Macbook Pro computer when accessing https://login.frontier.com/webmail. Just an FYI. Have cleared cookies and history.

Comment 106

7 months ago
(In reply to Gingerbread Man from comment #60)
> As per bug 1486041
> https://yourfnbbank.com
> https://fnbsal.secure.fundsxpress.com


certs have been updated on the aforementioned sites.
Working now under version 63.0a1 "nightly".

Comment 107

7 months ago
https://login.openathens.net - I've emailed their support.

Comment 109

7 months ago
Also affected: subpages of one of Germany's larger newspaper FAZ (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, https://abo.faz.net/ and https://einspruch.faz.net

Comment 110

7 months ago
Further to comment 6, https://www.iso10383.org/ is no longer affected.  I can also no longer find any affected links run by SWIFT from the list at https://viewdns.info/reversewhois/?q=S.W.I.F.T.+SCRL (known: lots of these do not point at a website or just redirect to https://www.swift.com ).
https://www.equabank.cz/ uses Thawte SSL (Symantec group) is also affected.
(In reply to Tobias Burnus from comment #109)
> Also affected: subpages of one of Germany's larger newspaper FAZ
> (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/,
> https://abo.faz.net/ and https://einspruch.faz.net

I sent an email to info@faz.net.

Comment 113

7 months ago
Another one: https://webmail.free.fr/ = webmail interface from a French ISP.
https://kakaocorp.com Kakao, a South Korean tech company (AFAIK it is still using Thawte)

Comment 115

7 months ago
https://www.nationwide.co.uk is now fixed.
(In reply to Kathleen Wilson from comment #1)
> I have closed Bug #1436062, since it was in regards to the previous phase of
> the distrust of the old Symantec roots.
Haven't made it through all of them, but some
 
> Here's a list of the sites that were reported in that bug, but are in
> regards to the current phase.
> 

These work for me => seem fixed:
> https://www.orange.fr/
> https://www.hsbc.fr
> https://my.ebay.co.uk/
> https://www.johnlewis.com/
> https://www.o2.co.uk/

I have sent emails to these:
> https://www.pcworld.co.uk/
> https://www.currys.co.uk/
> https://home.bt.com/
> https://oyster.tfl.gov.uk/

and this one is a "Bad Cert Domain" rather than Symantec:
> https://www.southwesttrains.co.uk/

These ones are still broken and need to be contacted:
> odeon.co.uk
> cineworld.co.uk
> myvue.com
> https://www.mcdonalds.com
> https://www.addisonlee.com/
> https://uk.lush.com/
> https://www.free.fr/
> https://www.republicservices.com/
> bofa online banking billpay page
https://jakarta.go.id (Official website of Government of Jakarta, Indonesia)

Comment 119

7 months ago
https://online.virginmoney.com/ is now fixed.

Comment 120

7 months ago
https://www.southwesttrains.co.uk/

Local knowledge: This company essentially no longer exists. The ludicrous muddle of "privatising" a natural monopoly in the form of Britain's railways means companies like South West Trains run "franchises" which run for some period of time, and they can be outbid when renewing the franchise. The exact same trains, with the same employees, running the same services, but with new paint or in some cases stickers, are now South Western Railway as opposed to South West Trains, a legally different company and different beneficial owners.

So even if South West Trains legally does still operate that site, or it's being operated by South Western Railway instead after the transition, it is unlikely they'll fix it. Fortunately passengers were at the wrong site anyway, when they Google they'll end up at SWR. In a sense the blame, as usual, lies with the ideologues who made this mess necessary.

Comment 121

7 months ago
https://hoyts.co.nz One of the larger cinema chains in New Zealand
https://hoyts.com.au/ - raised a ticket (317009), also included https://hoyts.co.nz
https://webpayments.billmatrix.com is broken as well. It is a web payment portal.

Comment 126

7 months ago
https://c.xkcd.com/ which is used for xkcd's random function. I've sent an email about it.
(In reply to Bob from comment #125)
> https://toolbox3.iinet.net.au/login

i've reached out to iinet.
Contacted jakarta.go.id site author via Twitter: https://twitter.com/ReinPre10/status/1038085227573272578?s=19
https://bankmandiri.co.id (Mandiri Bank, Indonesia)

Comment 132

7 months ago
Am I supposed to report unaccessible domains here?

I've found two Chinese sites:

https://passport.biligame.com owned by the video site bilibili
*.b0.upaiyun.com, owned by the CDN provider upyun, used for customer's resources, e.g. https://lilyimg.b0.upaiyun.com/blog/prctl-subreap/htop-awesome-tree.png

Comment 133

7 months ago
> Am I supposed to report unaccessible domains here?

If it's bringing up the security warning like this one does then yep!

Comment 134

7 months ago
Response from London's TFL 
"We are aware".. "attempted to update the certs to a new provider last week but there were issues that we had to request re-issue of the cert.".. "to attempt this again this week and we should be able to get the new certificate before the Firefox and Chrome updates come in to place for non-beta users."

https://techforum.tfl.gov.uk/t/symantec-ssl-tls-certificate-distrust/671/3

Comment 136

6 months ago
https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone here that has twitter would be willing to notify them I'd appreciate it.
(In reply to rowan from comment #136)
> https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do
> have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone
> here that has twitter would be willing to notify them I'd appreciate it.

Sent an email to nhsbsa.dataprotection@nhs.net cc'ing nhsbsa.communicationsteam@nhs.net. Hope they will forward to the right team(s).

Comment 138

6 months ago
https://www.sendmail.org/ I've emailed them.

Thanks Albert for sorting the NHS!

Comment 139

6 months ago
FWIW, PayPal is fixed, they have DigiCert now.

Comment 140

6 months ago
London TFL has been fixed via DigiCert expiring 2020.

Comment 141

6 months ago
https://secure.goldpoint.co.jp/

sent a request to update their cert via the contact form.

Comment 144

6 months ago
https://mobile.free.fr/moncompte/ -> French mobile phone provider account login page.
bankmandiri.co.id has already changed their certificate to DigiCert.

Comment 147

6 months ago
sendmail.org said they'll replace it by October
https://www.marketforces.org.au/ -> contacted via email
---
https://secure.webdirections.org/ -> They will change it shortly
I am still receiving warnings when accessing  https://login.frontier.com/webmail  
FF just upgraded to 64.0a1

Comment 151

6 months ago
(In reply to dougskis@frontier.com from comment #150)
> I am still receiving warnings when accessing 
> https://login.frontier.com/webmail  
> FF just upgraded to 64.0a1

I assume they're your ISP? If so probably best you email/phone them they're more likely to respond to a customer than anyone else randomly emailing them.
I contacted Frontier tech support, was told that their certificate does not expire until next year and to use a different browser to access my frontier.com email.

Comment 153

6 months ago
lol I'll send them one as well, trying to explain it more.

Comment 154

6 months ago
(In reply to rowan from comment #151)
> I assume they're your ISP? If so probably best you email/phone them they're
> more likely to respond to a customer than anyone else randomly emailing them.

oh, you're right. Dougskis you could answer them again, if you're up for it

In that case: dougskis, have you sent them these links, that explain it?
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/

In any case: It's not just two Browsers, it's literally all of them, except Microsoft who will distrust in early 2019 (couldn't find any date)
And the upgrade to digicert is for free.

A few more links:
https://support.apple.com/en-us/HT208860
https://knowledge.digicert.com/alerts/ALERT2562.html

I'm a bit confused by this link right now:
https://knowledge.digicert.com/alerts/ALERT2530.html
It says certificates issued after 12.01.2018 are distrusted by Chrome and Safari right now.
The frontier certificate is from 19.01.2018 but is still being trusted by Chrome Release (haven't tested safari).
I do not have any problems with Google Chrome getting a certificate error accessing my webmail. I am not going to pursue it any further with Frontier,they must not be getting that many complaints. Cable is finally running down street and will discontinue service with Frontier as fastest internet speeds I can get now is 3 mbps. I do get a certificate error with Safari with my Macbook computer. I use FF with it also. 
I just like FF.

Comment 156

6 months ago
(In reply to comment #109)
> Also affected: subpages of one of Germany's larger newspaper FAZ
> (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/,
> https://abo.faz.net/ and https://einspruch.faz.net

Hmm, only 50% fixed – epaper.faz.net & einspruch.faz.net are still affected; I did write them, Albert (comment 112) did, but still not a full success. Let's try again :-(

charts.reuters.com  (used by www.reuters.com) is also affected; I wrote them yesterday – let's see whether it will help.

Comment 158

6 months ago
https://www.rs-online.com/ if I remember in the morning I'll ping them an email

Comment 159

6 months ago
(In reply to rowan from comment #158)
> https://www.rs-online.com/ if I remember in the morning I'll ping them an
> email

I remembered and emailed them.

Comment 160

6 months ago
https://www.simplyscience.ch
I contacted them just now.

Comment 162

6 months ago
cardinalcommerce.com are planning to update the certificate tomorrow https://cardinalcommercecorporation.statuspage.io/incidents/268536hn4zzm

Comment 164

6 months ago
https://www.cas-education.de/

I send them an e-mail.

Comment 166

5 months ago
https://sacramento.aero I've emailed them.
bankmandiri.co.id has already switched to DigiCert
I’ve contacted Ihttps://www.foyles.co.uk/.

Comment 171

5 months ago
https://www.suedtirolnews.it/ doesn't work (written an email but no reply)
epaper.faz.net and epaper.faz.net are still affected despite emails.
[Side note: one of my Chrome 70 has started rejecting Symantec certificates.]
Comment hidden (spam)

Comment 173

2 months ago

http://livedrawsgp.biz doesn't work (written an email but no reply)
epaper.faz.net and epaper.faz.net are still affected despite emails.
[Side note: one of my Chrome 70 has started rejecting Symantec certificates.]

Comment 174

2 months ago

I've found a new one: https://epay.12306.cn/ this is the payment gateway for buying railway tickets in mainland China.

Summary: Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement → [meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement
Component: Desktop → Desktop
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.