Closed Bug 1484006 Opened 2 years ago Closed 10 months ago

[meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement

Categories

(Web Compatibility :: Desktop, defect, P1)

Unspecified
All
defect

Tracking

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 affected)

RESOLVED FIXED
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- affected

People

(Reporter: kwilson, Unassigned)

References

Details

(Keywords: site-compat)

Bug #1460062 implements the distrust of any TLS certificate that chains up to an old Symantec root, regardless of when it was issued.

Reference:
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/

On August 14, 2018, users of Firefox Nightly (FF 63) started getting the MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED for websites whose SSL certificates still chain up to the old Symantec root certs

The purpose of this bug is for Firefox Nightly users to report the websites for which they run into this error, rather than filing a bug for each problematic site.
I have closed Bug #1436062, since it was in regards to the previous phase of the distrust of the old Symantec roots.

Here's a list of the sites that were reported in that bug, but are in regards to the current phase.


https://www.orange.fr/
https://www.hsbc.fr
https://my.ebay.co.uk/
https://www.johnlewis.com/
https://www.pcworld.co.uk/
https://www.currys.co.uk/
https://www.southwesttrains.co.uk/
https://home.bt.com/
https://www.o2.co.uk/
https://oyster.tfl.gov.uk/
odeon.co.uk
cineworld.co.uk
myvue.com
https://www.mcdonalds.com
https://www.addisonlee.com/
https://uk.lush.com/
https://www.free.fr/
https://www.republicservices.com/
bofa online banking billpay page
Duplicate of this bug: 1483413
Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the warnings presented when accessing about:config.
paypal is also affected, rather major bug
https://www.etymonline.com/

Is one I just ran into.
https://bahn.de (one of the biggest (probably the biggest?) public transport providers in Germany)
Duplicate of this bug: 1483734
See Also: → 1409257
Add https://secure.osp.ovh.com/ to the list.
Duplicate of this bug: 1484426
https://netvibes.com is broken because cdn.netvibes.com uses a Symantec certificate.
Assignee: nobody → nobody
Component: CA Certificates Code → Desktop
Product: NSS → Tech Evangelism
Version: 3.35 → unspecified
(In reply to Albert Scheiner [:alberts] from comment #12)
> 
> Should this bug rather life under "Tech Evangelism" as it is about something
> the owners of those sites have to change?

Good point. I updated the bug component/product.  Thanks.
Duplicate of this bug: 1484252
Keywords: site-compat
2 of 4 Japanese major bank sites are blocked due to Symantec EV cert:

https://web.ib.mizuhobank.co.jp/
https://www.resonabank.co.jp/
Duplicate of this bug: 1484490
Duplicate of this bug: 1484546
Duplicate of this bug: 1484606
another affected site: https://www.docusign.net - still works on home page but after login not working anymore. --> https://na2.docusign.net/member/MemberLogin.aspx?ReturnUrl=/Member
https://www.surugabank.co.jp/ (Planning to fix the situation)
https://www.jcb.co.jp/ (Planning to fix the situation)
https://faq.jcb.co.jp/ (Planning to fix the situation)
https://jcb.custhelp.com/ (Planning to fix the situation)
https://www.okidokiland.com/
https://www2.cr.mufg.jp/
https://mail.ocn.ne.jp/
https://sp5971.jal.co.jp/
I know ebay is already in here for a bunch of domains, but there's also:

https://cgi5.ebay.com

Which seems to be used for selling items.

Also:

https://1eaf.cardinalcommerce.com/

Which was used by homedepot.com to do the verified by AmEx (and presumably verified by VISA) thing.
You can add the Playstation Store to the list of sites

https://store.playstation.com
Duplicate of this bug: 1484736
Duplicate of this bug: 1485021
Navy Federal Credit Union's online Banking: https://myaccounts.navyfederal.org
First National Bank of Pennsylvania's online banking: https://banking.fnb-onlinebankingcenter.com

(the general sales-pitch landing page for both institutions is fine, it's just the online banking area that's using a Symantec cert in both cases)
Duplicate of this bug: 1485321
https://www.lhv.ee/ (Estonian bank heavily relying on online banking) fails as well.
Duplicate of this bug: 1485406
https://www.intel.co.jp/ (Intel Driver & Support Assistant Tray is affected)
I can not enter https://www.thesims3.com without getting this error and there is no option to add this public site to an exception list. I am using the Nightly browser.
add BMO Harris Bank bill pay to the list please
https://particuliers.societegenerale.fr/ (subdomain related to pictures and CSS)
Duplicate of this bug: 1485283
https://www.horizonblue.com is another site affected by this.
Duplicate of this bug: 1486041
https://www.miele.at/ (household appliances, Symantec cert)

A more tricky one is https://hotspot.t-mobile.net/TD/hotspot/MUC_Airport/en_GB/index.html which is the entrance page to free wifi at MUC airport (apparently the domain is only reachable from their wifi hotspots. but I guess T-Mobile Germany / Deutsche Telekom is the operator)
Duplicate of this bug: 1486222
Duplicate of this bug: 1486367
Got it this morning. I cannot access to paypal when I wanted to buy an album on Bandcamp. I had to use Chromium instead :(
(In reply to Frederic Bezies from comment #69)
> Got it this morning. I cannot access to paypal when I wanted to buy an album
> on Bandcamp. I had to use Chromium instead :(

as mentioned in comment 3 above

> Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. 
> Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the 
> warnings presented when accessing about:config.

alternatively you could use Firefox Beta or Developer Edition for the time being.
You can remove Com Bank from the list. I had a chat to them on Facebook and they have fixed the issue. Likely someone should reach out to orgs listed on this list and give them a gentle prod. Paypal and Ebay in particular. (I haven't needed to try Ebay but Paypal was out when I used it yesterday.)
(In reply to Yani from comment #71)
> You can remove Com Bank from the list. I had a chat to them on Facebook and
> they have fixed the issue. Likely someone should reach out to orgs listed on
> this list and give them a gentle prod. Paypal and Ebay in particular. (I
> haven't needed to try Ebay but Paypal was out when I used it yesterday.)

Yani, Thank you for reaching out to the owner of a website, to let them know that they needed to update their SSL certs!

All, seems like a great idea to me... If you can reach out to the owners of the websites that you use, they might fix their webserver certs quickly. I suppose it is possible that owners of the smaller websites may not be aware that their sites are starting to break due to the planned distrust of the old Symantec roots.
I've reached out to a few:

ovh: No response
virgin money: They forwarded my request to another dept, no response since
nationwide: They said they have updates coming soon but didn't specify a date
odeon: Couldn't find an email to send to.
paypal: Got forwarded to another dept, no response since.
myvue: No response

It maybe the cynic in me but I'd bet that a large portion of the sites listed here will only replace their certs either just before this hits the stable channels (in chrome or firefox whichever comes first) or will panic once they get inundated by people complaining after it hits stable.

I also think this has already hit safari, my wife has an iPhone and myvue.com throws a security warning for her.
https://suchen.mobile.de/ is affected as well
https://www.agcom.it/

AGCOM is the italian communication authority. No response from their webmasters so far.
Duplicate of this bug: 1486708
(In reply to Florent from comment #68)
> https://www.oui.sncf/

I pinged Oui.SNCF on twitter about this and via a few internal contacts I have.

Wait'n see
German ISPs
https://www.netaachen.de/

https://account.1und1.de/
https://hilfe-center.1und1.de/

I tried to contact both of them. (We'll see, if they'll answer)
Don't know if they're listed but you can add:

https://www.pole-emploi.fr/accueil/ -> french employement services
https://www.cdiscount.com/ -> french Amazon like online shopping
(In reply to Frederic Bezies from comment #85)
> Don't know if they're listed but you can add:
> 
> https://www.pole-emploi.fr/accueil/ -> french employement services
> https://www.cdiscount.com/ -> french Amazon like online shopping

I contacted pole-emploi one week ago by email, the change is planned.
(In reply to Guillaume Démésy [:magsout] from comment #86)
> (In reply to Frederic Bezies from comment #85)
> > Don't know if they're listed but you can add:
> > 
> > https://www.pole-emploi.fr/accueil/ -> french employement services
> > https://www.cdiscount.com/ -> french Amazon like online shopping
> 
> I contacted pole-emploi one week ago by email, the change is planned.

Thanks for the info. Looks like a lot of sites are broken... When Mozilla Firefox 63 will be released, there is going to be a lot of shouting...
(In reply to Frederic Bezies from comment #88)
> Thanks for the info. Looks like a lot of sites are broken... When Mozilla
> Firefox 63 will be released, there is going to be a lot of shouting...

Maybe, esp. because those site will break in Chrome release just about at the same time:
"Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued." https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
So at least the shouting will not be about Mozilla/Firefox only, I hope, as AFAIK all major browser vendors will distrust Symantec at about the same time (Chrome Canary has the same "issues" as Firefox Nightly with this right now, from what I hear).
Also reproducible on the Help section of https://www.scottishpower.co.uk/
(In reply to Gingerbread Man from comment #65)
> https://mabanque.fortuneo.fr as per bug 1486222

Fortuneo acknowledged the issue and replied on twitter that SSL certificates update are planned soon :
https://twitter.com/fortuneo/status/1034708546364076032

(In reply to Florent from comment #80)
> (In reply to Florent from comment #68)
> > https://www.oui.sncf/
> 
> I pinged Oui.SNCF on twitter about this and via a few internal contacts I
> have.
> 
> Wait'n see

I also had feedback from Oui.SNCF. They are aware of the issue and an update with certificates issued by COMODO is planned in septembre.
Add https://www.leekunited.co.uk to the list. I've pinged them an email.
https://cnnindonesia.com (CNN Indonesia, the global CNN site uses GlobalSign certificate)
https://kemdikbud.go.id (Indonesia's Ministry of Education website)
Duplicate of this bug: 1487209
I do not receive a certificate notice anymore on https://login.frontier.com/webmail on Windows computer but I still get a warning with my Macbook Pro computer when accessing https://login.frontier.com/webmail. Just an FYI. Have cleared cookies and history.
(In reply to Gingerbread Man from comment #60)
> As per bug 1486041
> https://yourfnbbank.com
> https://fnbsal.secure.fundsxpress.com


certs have been updated on the aforementioned sites.
Working now under version 63.0a1 "nightly".
https://login.openathens.net - I've emailed their support.
Also affected: subpages of one of Germany's larger newspaper FAZ (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, https://abo.faz.net/ and https://einspruch.faz.net
Further to comment 6, https://www.iso10383.org/ is no longer affected.  I can also no longer find any affected links run by SWIFT from the list at https://viewdns.info/reversewhois/?q=S.W.I.F.T.+SCRL (known: lots of these do not point at a website or just redirect to https://www.swift.com ).
https://www.equabank.cz/ uses Thawte SSL (Symantec group) is also affected.
(In reply to Tobias Burnus from comment #109)
> Also affected: subpages of one of Germany's larger newspaper FAZ
> (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/,
> https://abo.faz.net/ and https://einspruch.faz.net

I sent an email to info@faz.net.
Another one: https://webmail.free.fr/ = webmail interface from a French ISP.
https://kakaocorp.com Kakao, a South Korean tech company (AFAIK it is still using Thawte)
https://www.nationwide.co.uk is now fixed.
(In reply to Kathleen Wilson from comment #1)
> I have closed Bug #1436062, since it was in regards to the previous phase of
> the distrust of the old Symantec roots.
Haven't made it through all of them, but some
 
> Here's a list of the sites that were reported in that bug, but are in
> regards to the current phase.
> 

These work for me => seem fixed:
> https://www.orange.fr/
> https://www.hsbc.fr
> https://my.ebay.co.uk/
> https://www.johnlewis.com/
> https://www.o2.co.uk/

I have sent emails to these:
> https://www.pcworld.co.uk/
> https://www.currys.co.uk/
> https://home.bt.com/
> https://oyster.tfl.gov.uk/

and this one is a "Bad Cert Domain" rather than Symantec:
> https://www.southwesttrains.co.uk/

These ones are still broken and need to be contacted:
> odeon.co.uk
> cineworld.co.uk
> myvue.com
> https://www.mcdonalds.com
> https://www.addisonlee.com/
> https://uk.lush.com/
> https://www.free.fr/
> https://www.republicservices.com/
> bofa online banking billpay page
https://jakarta.go.id (Official website of Government of Jakarta, Indonesia)
https://online.virginmoney.com/ is now fixed.
https://www.southwesttrains.co.uk/

Local knowledge: This company essentially no longer exists. The ludicrous muddle of "privatising" a natural monopoly in the form of Britain's railways means companies like South West Trains run "franchises" which run for some period of time, and they can be outbid when renewing the franchise. The exact same trains, with the same employees, running the same services, but with new paint or in some cases stickers, are now South Western Railway as opposed to South West Trains, a legally different company and different beneficial owners.

So even if South West Trains legally does still operate that site, or it's being operated by South Western Railway instead after the transition, it is unlikely they'll fix it. Fortunately passengers were at the wrong site anyway, when they Google they'll end up at SWR. In a sense the blame, as usual, lies with the ideologues who made this mess necessary.
https://hoyts.co.nz One of the larger cinema chains in New Zealand
https://hoyts.com.au/ - raised a ticket (317009), also included https://hoyts.co.nz
https://webpayments.billmatrix.com is broken as well. It is a web payment portal.
https://c.xkcd.com/ which is used for xkcd's random function. I've sent an email about it.
(In reply to Bob from comment #125)
> https://toolbox3.iinet.net.au/login

i've reached out to iinet.
Contacted jakarta.go.id site author via Twitter: https://twitter.com/ReinPre10/status/1038085227573272578?s=19
https://bankmandiri.co.id (Mandiri Bank, Indonesia)
Am I supposed to report unaccessible domains here?

I've found two Chinese sites:

https://passport.biligame.com owned by the video site bilibili
*.b0.upaiyun.com, owned by the CDN provider upyun, used for customer's resources, e.g. https://lilyimg.b0.upaiyun.com/blog/prctl-subreap/htop-awesome-tree.png
> Am I supposed to report unaccessible domains here?

If it's bringing up the security warning like this one does then yep!
Response from London's TFL 
"We are aware".. "attempted to update the certs to a new provider last week but there were issues that we had to request re-issue of the cert.".. "to attempt this again this week and we should be able to get the new certificate before the Firefox and Chrome updates come in to place for non-beta users."

https://techforum.tfl.gov.uk/t/symantec-ssl-tls-certificate-distrust/671/3
https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone here that has twitter would be willing to notify them I'd appreciate it.
(In reply to rowan from comment #136)
> https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do
> have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone
> here that has twitter would be willing to notify them I'd appreciate it.

Sent an email to nhsbsa.dataprotection@nhs.net cc'ing nhsbsa.communicationsteam@nhs.net. Hope they will forward to the right team(s).
https://www.sendmail.org/ I've emailed them.

Thanks Albert for sorting the NHS!
FWIW, PayPal is fixed, they have DigiCert now.
London TFL has been fixed via DigiCert expiring 2020.
https://secure.goldpoint.co.jp/

sent a request to update their cert via the contact form.
https://mobile.free.fr/moncompte/ -> French mobile phone provider account login page.
bankmandiri.co.id has already changed their certificate to DigiCert.
sendmail.org said they'll replace it by October
https://www.marketforces.org.au/ -> contacted via email
---
https://secure.webdirections.org/ -> They will change it shortly
I am still receiving warnings when accessing  https://login.frontier.com/webmail  
FF just upgraded to 64.0a1
(In reply to dougskis@frontier.com from comment #150)
> I am still receiving warnings when accessing 
> https://login.frontier.com/webmail  
> FF just upgraded to 64.0a1

I assume they're your ISP? If so probably best you email/phone them they're more likely to respond to a customer than anyone else randomly emailing them.
I contacted Frontier tech support, was told that their certificate does not expire until next year and to use a different browser to access my frontier.com email.
lol I'll send them one as well, trying to explain it more.
(In reply to rowan from comment #151)
> I assume they're your ISP? If so probably best you email/phone them they're
> more likely to respond to a customer than anyone else randomly emailing them.

oh, you're right. Dougskis you could answer them again, if you're up for it

In that case: dougskis, have you sent them these links, that explain it?
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/

In any case: It's not just two Browsers, it's literally all of them, except Microsoft who will distrust in early 2019 (couldn't find any date)
And the upgrade to digicert is for free.

A few more links:
https://support.apple.com/en-us/HT208860
https://knowledge.digicert.com/alerts/ALERT2562.html

I'm a bit confused by this link right now:
https://knowledge.digicert.com/alerts/ALERT2530.html
It says certificates issued after 12.01.2018 are distrusted by Chrome and Safari right now.
The frontier certificate is from 19.01.2018 but is still being trusted by Chrome Release (haven't tested safari).
I do not have any problems with Google Chrome getting a certificate error accessing my webmail. I am not going to pursue it any further with Frontier,they must not be getting that many complaints. Cable is finally running down street and will discontinue service with Frontier as fastest internet speeds I can get now is 3 mbps. I do get a certificate error with Safari with my Macbook computer. I use FF with it also. 
I just like FF.
(In reply to comment #109)
> Also affected: subpages of one of Germany's larger newspaper FAZ
> (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/,
> https://abo.faz.net/ and https://einspruch.faz.net

Hmm, only 50% fixed – epaper.faz.net & einspruch.faz.net are still affected; I did write them, Albert (comment 112) did, but still not a full success. Let's try again :-(

charts.reuters.com  (used by www.reuters.com) is also affected; I wrote them yesterday – let's see whether it will help.
https://www.rs-online.com/ if I remember in the morning I'll ping them an email
(In reply to rowan from comment #158)
> https://www.rs-online.com/ if I remember in the morning I'll ping them an
> email

I remembered and emailed them.
https://www.simplyscience.ch
I contacted them just now.
cardinalcommerce.com are planning to update the certificate tomorrow https://cardinalcommercecorporation.statuspage.io/incidents/268536hn4zzm
https://www.cas-education.de/

I send them an e-mail.
https://sacramento.aero I've emailed them.
bankmandiri.co.id has already switched to DigiCert
I’ve contacted Ihttps://www.foyles.co.uk/.
https://www.suedtirolnews.it/ doesn't work (written an email but no reply)
epaper.faz.net and epaper.faz.net are still affected despite emails.
[Side note: one of my Chrome 70 has started rejecting Symantec certificates.]

http://livedrawsgp.biz doesn't work (written an email but no reply)
epaper.faz.net and epaper.faz.net are still affected despite emails.
[Side note: one of my Chrome 70 has started rejecting Symantec certificates.]

I've found a new one: https://epay.12306.cn/ this is the payment gateway for buying railway tickets in mainland China.

Summary: Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement → [meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement
Product: Tech Evangelism → Web Compatibility

Almost all sites already migrated from Symantec, can no longer connect, or have an expired cert. There is no point in leaving this bug open.

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.