Open
Bug 1491498
Opened 6 years ago
Updated 2 years ago
Include revocation errors in the clock skew errors list
Categories
(Firefox :: Security, defect, P3)
Firefox
Security
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox64 | --- | fix-optional |
firefox65 | --- | affected |
firefox66 | --- | affected |
People
(Reporter: dakhmedova, Unassigned)
References
(Depends on 1 open bug, Blocks 2 open bugs)
Details
(Whiteboard: [cert-errors])
Attachments
(3 files)
Steps to Reproduce: 1. Change Date and Time of the OS. 2. Launch Nightly 3. Go to any website I added expected and actual result screenshots.
Reporter | ||
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Hm, I can't reproduce this but I can believe that a wrong system time might cause troubles with OCSP. To what did you change your OS time and date? Note that only setting backwards in time makes the new error page 100% reliable, since we have a few technical limitations in detecting if the system clock is too far in the future. Dana, do you think we'll have to add this error code to the list of sites that get the "wrong system clock" treatment?
Assignee: jhofmann → nobody
Flags: needinfo?(dkeeler)
Updated•6 years ago
|
Whiteboard: [cert-errors][triage]
Reporter | ||
Comment 3•6 years ago
|
||
@jhofmann@mozilla.com I changed the date from 9/14/2018 to 9/11/2017. Time is the same.
I don't think that's directly due to an incorrect clock - from my reading of the code, we only return that error when the response was signed by a delegated certificate but the response doesn't contain a certificate that matches the responder ID in the response (see https://searchfox.org/mozilla-central/rev/6c82481caa506a240a626bb44a2b8cbe0eedb3a0/security/pkix/lib/pkixocsp.cpp#243 ).
Flags: needinfo?(dkeeler)
Comment 5•6 years ago
|
||
Damira, what happens if you set your clock back much further than 2017? e.g. 1990?
Flags: needinfo?(dakhmedova)
Reporter | ||
Comment 6•6 years ago
|
||
I changed to 1990 and got the following error code. I attached screenshot
Flags: needinfo?(dakhmedova)
Reporter | ||
Comment 7•6 years ago
|
||
Comment 8•6 years ago
|
||
Yeah, so I'd recommend you to always set the clock back a little further than just a year. To be clear, our project is not about detecting 100% of all system clock skew errors, but rather showing a good error pages in those cases where we are 100% certain that it's because of system clock skew. Not sure if we can close this or whether we still want to consider giving SEC_ERROR_OCSP_INVALID_SIGNING_CERT a special treatment if the system clock is off.
Updated•6 years ago
|
Priority: -- → P3
Summary: New Clock error page doesn't look like its expected. → Do we need to include SEC_ERROR_OCSP_INVALID_SIGNING_CERT in the clock skew errors?
Updated•6 years ago
|
Whiteboard: [cert-errors][triage] → [cert-errors]
Updated•5 years ago
|
Depends on: 1486551
Summary: Do we need to include SEC_ERROR_OCSP_INVALID_SIGNING_CERT in the clock skew errors? → Include revocation errors in the clock skew errors list
Updated•5 years ago
|
status-firefox64:
--- → fix-optional
status-firefox65:
--- → affected
status-firefox66:
--- → affected
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•