1486963 - MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED error description should link to bugzilla

Status: RESOLVED WONTFIX

(Firefox :: Security, defect)

Description

[Djfe]

Attachment: Screenshot

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Build ID: 20180827100129




Expected results:

Pls make this security error (see attached screenshot) also link to
https://bugzilla.mozilla.org/show_bug.cgi?id=1484006
so users can keep on adding affected sites to the list.

Maybe you could also link to
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/
for a more detailed explanation.

Comment 1

[Rares Doghi, Desktop QA]

Hi,
Can you please add a few steps or links to the website that is causing this issue so we can reproduce it as well.

Comment 2

[Djfe]

Hi, you can literally try any link from the comments of the linked bug report.

for example:
https://www.johnlewis.com/
(it has a Symantec certificate at this point in time)

just open the page in the current nightly

Comment 3

[Rares Doghi, Desktop QA]

Thanks Djfe, I can reproduce this issue as well in the latest nightly 63.0a1 (2018-09-03).

Comment 4

[Oana Arbuzov [:oanaarbuzov]]

"Tech Evangelism" is not the place for this Feature request.

Comment 5

[Jared Wein [:jaws] (please needinfo? me)]

Dana, is there some larger plan to surface a webpage that people can report these defective sites? Shouldn't the "Report errors like this to help Mozilla identify and block malicious sites" checkbox already suffice?

Comment 6

[Djfe]

Good idea. In that case I would suggest a spreadsheet/table/db lists information like this:
domain
if there are several Subdomains of the same domain, then they should be grouped
certificate authority (the sub below symantec: Thawte etc.)

boolean: (could be one column with phase 1-4)
certificate is valid after 23. Okt. 2018
operator was informed
operator answered and is going to fix it
fixed

reported on (date)
reported by
thread/comment url


this table could be sortable and searchable

it takes some effort to do this of course but it would be a lot better as an overview

the page could display a pie diagram to show percentage of the phase column :)

Comment 7

[Djfe]

reported by could also get the value anonymous

there could be another pie diagram for the top 10 contributors (rounded up)

Comment 8

[Dana Keeler (she/her) (use needinfo) [:keeler]]

(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #5)
> Dana, is there some larger plan to surface a webpage that people can report
> these defective sites? Shouldn't the "Report errors like this to help
> Mozilla identify and block malicious sites" checkbox already suffice?

I'm not aware of any such plans (although that is a good idea we probably should have considered). I believe DigiCert has assured us that all affected customers have been informed of the issue, so at this point either their technical contacts are out of date or the sites just haven't been able to update their certificates yet for whatever reasons.

We certainly could use the data from the error reporting to identify affected sites - I can talk to mgoodwin about that.

In terms of this bug, though, I'm skeptical that we want to link to a bugzilla bug in the product and tell users to add on to it.

Comment 9

[Jared Wein [:jaws] (please needinfo? me)]

Yeah, I agree we should not be linking to Bugzilla. I think we should close this bug and open a new one in a different component (not sure which one) to monitor the data reporting.

Comment 10

[Djfe]

Where can I find the follow-up? (ticket id)