1486551 - Turn cert revocation error pages into (non-overridable) certificate error pages

Status: NEW

(Firefox :: Security, enhancement)

Description

[Kathleen Wilson]

For other cert errors, you can click on the "More..." button to get an error code with a link, and when you click on the link it provides the Certificate Chain that you can "Copy text to clipboard", so you can figure out what's going on.

Please add this capability to the non-override-able errors, such as SEC_ERROR_REVOKED_CERTIFICATE 

Not having this ability forces me to use a different browser to get the Certificate Chain info that I need.

Comment 1

[Johann Hofmann [:johannh]]

Kathleen, Dana, does it make sense to rephrase this as "Make SEC_ERROR_REVOKED_CERTIFICATE a certificate error page"? Currently this seems to be treated as a neterror, which doesn't sound right to me.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Yes, but we have to be a bit careful: in the past, we've basically said "errors that result in net error pages are not overridable" and "errors that result in cert error pages are overridable (modulo HSTS)". If we make SEC_ERROR_REVOKED_CERTIFICATE and others result in the cert error page, we have to make sure it's never overridable and that our UI never makes it look like it could be overridable. (But to be clear, I think this is something we can and should do.)

Comment 3

[Johann Hofmann [:johannh]]

Ok, thanks, maybe we'll leave it phrased like this, for now.

Comment 7

[Pols12]

If you look for a workaround, the given advice is to disable OCSP (or to switch to another browser), which makes an higher security issue than allowing a temporary bypass with a clear risk warning!