Closed Bug 1484006 Opened 2 years ago Closed 4 months ago
[meta] Sites getting MOZILLA
_PKIX _ERROR _ADDITIONAL _POLICY _CONSTRAINT _FAILED errors in Firefox 63 due to Symantec distrust enforcement
Bug #1460062 implements the distrust of any TLS certificate that chains up to an old Symantec root, regardless of when it was issued. Reference: https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/ On August 14, 2018, users of Firefox Nightly (FF 63) started getting the MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED for websites whose SSL certificates still chain up to the old Symantec root certs The purpose of this bug is for Firefox Nightly users to report the websites for which they run into this error, rather than filing a bug for each problematic site.
I have closed Bug #1436062, since it was in regards to the previous phase of the distrust of the old Symantec roots. Here's a list of the sites that were reported in that bug, but are in regards to the current phase. https://www.orange.fr/ https://www.hsbc.fr https://my.ebay.co.uk/ https://www.johnlewis.com/ https://www.pcworld.co.uk/ https://www.currys.co.uk/ https://www.southwesttrains.co.uk/ https://home.bt.com/ https://www.o2.co.uk/ https://oyster.tfl.gov.uk/ odeon.co.uk cineworld.co.uk myvue.com https://www.mcdonalds.com https://www.addisonlee.com/ https://uk.lush.com/ https://www.free.fr/ https://www.republicservices.com/ bofa online banking billpay page
Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the warnings presented when accessing about:config.
paypal is also affected, rather major bug
https://www.autotrader.co.uk/ https://www.santander.co.uk/ https://www.nationwide.co.uk/ are what I've hit so far.
https://www.etymonline.com/ Is one I just ran into.
https://bahn.de (one of the biggest (probably the biggest?) public transport providers in Germany)
as per bug 1483734: https://online.sberbank.ru/ https://www.my.commbank.com.au/ https://www.paypal.com/ several subdomains on ebay: https://www.ebay.de/itm/Gamer-PC-ASUS-AMD-Ryzen-3-2200G-4x3-7GHz-256GB-SSD-DDR4-Komplett-PC-System-/392054494595 iframe: https://screenshots.firefox.com/p49KeXQavMeNGGKa/www.ebay.de https://www.ebay.com/itm/HP-10-P010NR-10-1-Touch-Laptop-Intel-Atom-X5-Z8350-1-44GHz-2GB-32GB-Windows-10/263455736394 iframe: https://screenshots.firefox.com/snB1YvfYHAoM5NQv/www.ebay.com Should this bug rather life under "Tech Evangelism" as it is about something the owners of those sites have to change?
https://scgi.ebay.com.au (e.g. serving verification codes for form submission) Screenshot: https://screenshots.firefox.com/UJZpXJEAuTyvCgZS/contact.ebay.com.au
Add https://secure.osp.ovh.com/ to the list.
https://netvibes.com is broken because cdn.netvibes.com uses a Symantec certificate.
Assignee: nobody → nobody
Component: CA Certificates Code → Desktop
Product: NSS → Tech Evangelism
Version: 3.35 → unspecified
(In reply to Albert Scheiner [:alberts] from comment #12) > > Should this bug rather life under "Tech Evangelism" as it is about something > the owners of those sites have to change? Good point. I updated the bug component/product. Thanks.
2 of 4 Japanese major bank sites are blocked due to Symantec EV cert: https://web.ib.mizuhobank.co.jp/ https://www.resonabank.co.jp/
another affected site: https://www.docusign.net - still works on home page but after login not working anymore. --> https://na2.docusign.net/member/MemberLogin.aspx?ReturnUrl=/Member
https://www.surugabank.co.jp/ (Planning to fix the situation) https://www.jcb.co.jp/ (Planning to fix the situation) https://faq.jcb.co.jp/ (Planning to fix the situation) https://jcb.custhelp.com/ (Planning to fix the situation) https://www.okidokiland.com/ https://www2.cr.mufg.jp/ https://mail.ocn.ne.jp/ https://sp5971.jal.co.jp/
I know ebay is already in here for a bunch of domains, but there's also: https://cgi5.ebay.com Which seems to be used for selling items. Also: https://1eaf.cardinalcommerce.com/ Which was used by homedepot.com to do the verified by AmEx (and presumably verified by VISA) thing.
You can add the Playstation Store to the list of sites https://store.playstation.com
Ameriprise Financial login https://www.ameriprise.com/client-login/
Navy Federal Credit Union's online Banking: https://myaccounts.navyfederal.org First National Bank of Pennsylvania's online banking: https://banking.fnb-onlinebankingcenter.com (the general sales-pitch landing page for both institutions is fine, it's just the online banking area that's using a Symantec cert in both cases)
https://www.lhv.ee/ (Estonian bank heavily relying on online banking) fails as well.
https://www.intel.co.jp/ (Intel Driver & Support Assistant Tray is affected)
Updated info for comment #30 and comment #37. Sites below will be fixed before 2018-10-16. https://www.5971.jal.co.jp/ https://www121.jal.co.jp/ https://sp.jal.co.jp/ https://intltoursearch.jal.co.jp/ https://sp5971.jal.co.jp/ https://www.jcb.co.jp/ https://faq.jcb.co.jp/ https://www.okidokiland.com/ https://jcb.custhelp.com/ https://www.surugabank.co.jp/ Sites below is now fixed. https://trafficinfo.westjr.co.jp/
I can not enter https://www.thesims3.com without getting this error and there is no option to add this public site to an exception list. I am using the Nightly browser.
add BMO Harris Bank bill pay to the list please
https://particuliers.societegenerale.fr/ (subdomain related to pictures and CSS)
https://www.horizonblue.com is another site affected by this.
https://www.freedommobile.ca/ GeoTrust EV
https://www.miele.at/ (household appliances, Symantec cert) A more tricky one is https://hotspot.t-mobile.net/TD/hotspot/MUC_Airport/en_GB/index.html which is the entrance page to free wifi at MUC airport (apparently the domain is only reachable from their wifi hotspots. but I guess T-Mobile Germany / Deutsche Telekom is the operator)
https://www.arborday.org/ https://www.arbordayfarm.org/ https://www.liedlodge.org/ I messaged @arborday on Twitter, FWIW.
Got it this morning. I cannot access to paypal when I wanted to buy an album on Bandcamp. I had to use Chromium instead :(
(In reply to Frederic Bezies from comment #69) > Got it this morning. I cannot access to paypal when I wanted to buy an album > on Bandcamp. I had to use Chromium instead :( as mentioned in comment 3 above > Enforcement of this error can be disabled by setting security.pki.distrust_ca_policy to '1' in about:config. > Changing the value back to '2' will re-enable this change. If you choose to make this change, please heed the > warnings presented when accessing about:config. alternatively you could use Firefox Beta or Developer Edition for the time being.
You can remove Com Bank from the list. I had a chat to them on Facebook and they have fixed the issue. Likely someone should reach out to orgs listed on this list and give them a gentle prod. Paypal and Ebay in particular. (I haven't needed to try Ebay but Paypal was out when I used it yesterday.)
(In reply to Yani from comment #71) > You can remove Com Bank from the list. I had a chat to them on Facebook and > they have fixed the issue. Likely someone should reach out to orgs listed on > this list and give them a gentle prod. Paypal and Ebay in particular. (I > haven't needed to try Ebay but Paypal was out when I used it yesterday.) Yani, Thank you for reaching out to the owner of a website, to let them know that they needed to update their SSL certs! All, seems like a great idea to me... If you can reach out to the owners of the websites that you use, they might fix their webserver certs quickly. I suppose it is possible that owners of the smaller websites may not be aware that their sites are starting to break due to the planned distrust of the old Symantec roots.
I've reached out to a few: ovh: No response virgin money: They forwarded my request to another dept, no response since nationwide: They said they have updates coming soon but didn't specify a date odeon: Couldn't find an email to send to. paypal: Got forwarded to another dept, no response since. myvue: No response It maybe the cynic in me but I'd bet that a large portion of the sites listed here will only replace their certs either just before this hits the stable channels (in chrome or firefox whichever comes first) or will panic once they get inundated by people complaining after it hits stable. I also think this has already hit safari, my wife has an iPhone and myvue.com throws a security warning for her.
https://suchen.mobile.de/ is affected as well
https://www.agcom.it/ AGCOM is the italian communication authority. No response from their webmasters so far.
(In reply to Florent from comment #68) > https://www.oui.sncf/ I pinged Oui.SNCF on twitter about this and via a few internal contacts I have. Wait'n see
German ISPs https://www.netaachen.de/ https://account.1und1.de/ https://hilfe-center.1und1.de/ I tried to contact both of them. (We'll see, if they'll answer)
https://www.netcologne.de/ Some German cities: https://www.bocholt.de/ https://www.borken.de/ https://www.muenster.de/ German public transport https://www.vrr.de/ https://www.puenktlichkeitsversprechen.de
Don't know if they're listed but you can add: https://www.pole-emploi.fr/accueil/ -> french employement services https://www.cdiscount.com/ -> french Amazon like online shopping
(In reply to Frederic Bezies from comment #85) > Don't know if they're listed but you can add: > > https://www.pole-emploi.fr/accueil/ -> french employement services > https://www.cdiscount.com/ -> french Amazon like online shopping I contacted pole-emploi one week ago by email, the change is planned.
(In reply to Guillaume Démésy [:magsout] from comment #86) > (In reply to Frederic Bezies from comment #85) > > Don't know if they're listed but you can add: > > > > https://www.pole-emploi.fr/accueil/ -> french employement services > > https://www.cdiscount.com/ -> french Amazon like online shopping > > I contacted pole-emploi one week ago by email, the change is planned. Thanks for the info. Looks like a lot of sites are broken... When Mozilla Firefox 63 will be released, there is going to be a lot of shouting...
(In reply to Frederic Bezies from comment #88) > Thanks for the info. Looks like a lot of sites are broken... When Mozilla > Firefox 63 will be released, there is going to be a lot of shouting... Maybe, esp. because those site will break in Chrome release just about at the same time: "Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued." https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html So at least the shouting will not be about Mozilla/Firefox only, I hope, as AFAIK all major browser vendors will distrust Symantec at about the same time (Chrome Canary has the same "issues" as Firefox Nightly with this right now, from what I hear).
Also reproducible on the Help section of https://www.scottishpower.co.uk/
(In reply to Gingerbread Man from comment #65) > https://mabanque.fortuneo.fr as per bug 1486222 Fortuneo acknowledged the issue and replied on twitter that SSL certificates update are planned soon : https://twitter.com/fortuneo/status/1034708546364076032 (In reply to Florent from comment #80) > (In reply to Florent from comment #68) > > https://www.oui.sncf/ > > I pinged Oui.SNCF on twitter about this and via a few internal contacts I > have. > > Wait'n see I also had feedback from Oui.SNCF. They are aware of the issue and an update with certificates issued by COMODO is planned in septembre.
Add https://www.leekunited.co.uk to the list. I've pinged them an email.
https://cnnindonesia.com (CNN Indonesia, the global CNN site uses GlobalSign certificate)
https://kemdikbud.go.id (Indonesia's Ministry of Education website)
(In reply to rowan from comment #14) > Add https://secure.osp.ovh.com/ to the list. I contacted them by Twitter https://mobile.twitter.com/magsout/status/1031426967558647808
https://myservices.brighthouse.com/ is another one.
I do not receive a certificate notice anymore on https://login.frontier.com/webmail on Windows computer but I still get a warning with my Macbook Pro computer when accessing https://login.frontier.com/webmail. Just an FYI. Have cleared cookies and history.
(In reply to Gingerbread Man from comment #60) > As per bug 1486041 > https://yourfnbbank.com > https://fnbsal.secure.fundsxpress.com certs have been updated on the aforementioned sites. Working now under version 63.0a1 "nightly".
https://login.openathens.net - I've emailed their support.
Also affected: subpages of one of Germany's larger newspaper FAZ (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, https://abo.faz.net/ and https://einspruch.faz.net
Further to comment 6, https://www.iso10383.org/ is no longer affected. I can also no longer find any affected links run by SWIFT from the list at https://viewdns.info/reversewhois/?q=S.W.I.F.T.+SCRL (known: lots of these do not point at a website or just redirect to https://www.swift.com ).
https://www.equabank.cz/ uses Thawte SSL (Symantec group) is also affected.
(In reply to Tobias Burnus from comment #109) > Also affected: subpages of one of Germany's larger newspaper FAZ > (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, > https://abo.faz.net/ and https://einspruch.faz.net I sent an email to email@example.com.
Another one: https://webmail.free.fr/ = webmail interface from a French ISP.
https://kakaocorp.com Kakao, a South Korean tech company (AFAIK it is still using Thawte)
https://www.nationwide.co.uk is now fixed.
(In reply to Kathleen Wilson from comment #1) > I have closed Bug #1436062, since it was in regards to the previous phase of > the distrust of the old Symantec roots. Haven't made it through all of them, but some > Here's a list of the sites that were reported in that bug, but are in > regards to the current phase. > These work for me => seem fixed: > https://www.orange.fr/ > https://www.hsbc.fr > https://my.ebay.co.uk/ > https://www.johnlewis.com/ > https://www.o2.co.uk/ I have sent emails to these: > https://www.pcworld.co.uk/ > https://www.currys.co.uk/ > https://home.bt.com/ > https://oyster.tfl.gov.uk/ and this one is a "Bad Cert Domain" rather than Symantec: > https://www.southwesttrains.co.uk/ These ones are still broken and need to be contacted: > odeon.co.uk > cineworld.co.uk > myvue.com > https://www.mcdonalds.com > https://www.addisonlee.com/ > https://uk.lush.com/ > https://www.free.fr/ > https://www.republicservices.com/ > bofa online banking billpay page
https://jakarta.go.id (Official website of Government of Jakarta, Indonesia)
https://www.ticketpro.cz/jnp/home/index.html also does not work.
https://online.virginmoney.com/ is now fixed.
https://www.southwesttrains.co.uk/ Local knowledge: This company essentially no longer exists. The ludicrous muddle of "privatising" a natural monopoly in the form of Britain's railways means companies like South West Trains run "franchises" which run for some period of time, and they can be outbid when renewing the franchise. The exact same trains, with the same employees, running the same services, but with new paint or in some cases stickers, are now South Western Railway as opposed to South West Trains, a legally different company and different beneficial owners. So even if South West Trains legally does still operate that site, or it's being operated by South Western Railway instead after the transition, it is unlikely they'll fix it. Fortunately passengers were at the wrong site anyway, when they Google they'll end up at SWR. In a sense the blame, as usual, lies with the ideologues who made this mess necessary.
https://hoyts.co.nz One of the larger cinema chains in New Zealand
https://webpayments.billmatrix.com is broken as well. It is a web payment portal.
https://c.xkcd.com/ which is used for xkcd's random function. I've sent an email about it.
(In reply to Bob from comment #125) > https://toolbox3.iinet.net.au/login i've reached out to iinet.
Contacted jakarta.go.id site author via Twitter: https://twitter.com/ReinPre10/status/1038085227573272578?s=19
Transport for London TechForum post added: https://techforum.tfl.gov.uk/t/symantec-ssl-tls-certificate-distrust/671/
https://bankmandiri.co.id (Mandiri Bank, Indonesia)
Am I supposed to report unaccessible domains here? I've found two Chinese sites: https://passport.biligame.com owned by the video site bilibili *.b0.upaiyun.com, owned by the CDN provider upyun, used for customer's resources, e.g. https://lilyimg.b0.upaiyun.com/blog/prctl-subreap/htop-awesome-tree.png
> Am I supposed to report unaccessible domains here? If it's bringing up the security warning like this one does then yep!
Response from London's TFL "We are aware".. "attempted to update the certs to a new provider last week but there were issues that we had to request re-issue of the cert.".. "to attempt this again this week and we should be able to get the new certificate before the Firefox and Chrome updates come in to place for non-beta users." https://techforum.tfl.gov.uk/t/symantec-ssl-tls-certificate-distrust/671/3
https://www.img-bahn.de (CDN server for the website bahn.de) From https://github.com/webcompat/web-bugs/issues/18729
https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone here that has twitter would be willing to notify them I'd appreciate it.
(In reply to rowan from comment #136) > https://www.nhsbsa.nhs.uk I can't spot a contact email for them but they do > have a twitter https://twitter.com/NHSBSA I don't have twitter so if anyone > here that has twitter would be willing to notify them I'd appreciate it. Sent an email to firstname.lastname@example.org cc'ing email@example.com. Hope they will forward to the right team(s).
https://www.sendmail.org/ I've emailed them. Thanks Albert for sorting the NHS!
FWIW, PayPal is fixed, they have DigiCert now.
London TFL has been fixed via DigiCert expiring 2020.
https://secure.goldpoint.co.jp/ sent a request to update their cert via the contact form.
https://secure.webdirections.org/ -> I sent an email
https://mobile.free.fr/moncompte/ -> French mobile phone provider account login page.
bankmandiri.co.id has already changed their certificate to DigiCert.
sendmail.org said they'll replace it by October
actcorp.in via Reddit post https://www.reddit.com/r/firefox/comments/9i6uim/this_website_doesnt_seen_to_open_only_in_firefox/
https://www.marketforces.org.au/ -> contacted via email --- https://secure.webdirections.org/ -> They will change it shortly
I am still receiving warnings when accessing https://login.frontier.com/webmail FF just upgraded to 64.0a1
(In reply to firstname.lastname@example.org from comment #150) > I am still receiving warnings when accessing > https://login.frontier.com/webmail > FF just upgraded to 64.0a1 I assume they're your ISP? If so probably best you email/phone them they're more likely to respond to a customer than anyone else randomly emailing them.
I contacted Frontier tech support, was told that their certificate does not expire until next year and to use a different browser to access my frontier.com email.
lol I'll send them one as well, trying to explain it more.
(In reply to rowan from comment #151) > I assume they're your ISP? If so probably best you email/phone them they're > more likely to respond to a customer than anyone else randomly emailing them. oh, you're right. Dougskis you could answer them again, if you're up for it In that case: dougskis, have you sent them these links, that explain it? https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/ https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html https://www.digicert.com/blog/our-latest-symantec-distrust-guidance-apple/ In any case: It's not just two Browsers, it's literally all of them, except Microsoft who will distrust in early 2019 (couldn't find any date) And the upgrade to digicert is for free. A few more links: https://support.apple.com/en-us/HT208860 https://knowledge.digicert.com/alerts/ALERT2562.html I'm a bit confused by this link right now: https://knowledge.digicert.com/alerts/ALERT2530.html It says certificates issued after 12.01.2018 are distrusted by Chrome and Safari right now. The frontier certificate is from 19.01.2018 but is still being trusted by Chrome Release (haven't tested safari).
I do not have any problems with Google Chrome getting a certificate error accessing my webmail. I am not going to pursue it any further with Frontier,they must not be getting that many complaints. Cable is finally running down street and will discontinue service with Frontier as fastest internet speeds I can get now is 3 mbps. I do get a certificate error with Safari with my Macbook computer. I use FF with it also. I just like FF.
(In reply to comment #109) > Also affected: subpages of one of Germany's larger newspaper FAZ > (https://faz.net), namely: https://plus.faz.net/, https://epaper.faz.net/, > https://abo.faz.net/ and https://einspruch.faz.net Hmm, only 50% fixed – epaper.faz.net & einspruch.faz.net are still affected; I did write them, Albert (comment 112) did, but still not a full success. Let's try again :-( charts.reuters.com (used by www.reuters.com) is also affected; I wrote them yesterday – let's see whether it will help.
https://www.pernsteiner.net/ => sent an email
https://www.rs-online.com/ if I remember in the morning I'll ping them an email
(In reply to rowan from comment #158) > https://www.rs-online.com/ if I remember in the morning I'll ping them an > email I remembered and emailed them.
https://www.simplyscience.ch I contacted them just now.
cardinalcommerce.com are planning to update the certificate tomorrow https://cardinalcommercecorporation.statuspage.io/incidents/268536hn4zzm
https://www.cas-education.de/ I send them an e-mail.
https://sacramento.aero I've emailed them.
bankmandiri.co.id has already switched to DigiCert
https://login.xunlei.com https://login2.xunlei.com https://login3.xunlei.com Login page of a popular Chinese website.
I’ve contacted Ihttps://www.foyles.co.uk/.
https://www.suedtirolnews.it/ doesn't work (written an email but no reply) epaper.faz.net and epaper.faz.net are still affected despite emails. [Side note: one of my Chrome 70 has started rejecting Symantec certificates.]
Summary: Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement → [meta] Sites getting MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED errors in Firefox 63 due to Symantec distrust enforcement
Product: Tech Evangelism → Web Compatibility
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.