Open Bug 1491498 Opened 6 years ago Updated 2 years ago

Include revocation errors in the clock skew errors list

Categories

(Firefox :: Security, defect, P3)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox64 --- fix-optional
firefox65 --- affected
firefox66 --- affected

People

(Reporter: dakhmedova, Unassigned)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Whiteboard: [cert-errors])

Attachments

(3 files)

EXPECTED_RESULT.png
187.30 KB, image/png
Details
ACTUAL_RESULT.png
160.83 KB, image/png
Details
1990.png
64.09 KB, image/png
Details
Attached image EXPECTED_RESULT.png 
Steps to Reproduce:
1. Change Date and Time of the OS.
2. Launch Nightly
3. Go to any website 

I added expected and actual result screenshots.
Attached image ACTUAL_RESULT.png 

    
  
Assignee: nobody → jhofmann
Blocks: 1463693

    
    

    
  
Hm, I can't reproduce this but I can believe that a wrong system time might cause troubles with OCSP.

To what did you change your OS time and date? Note that only setting backwards in time makes the new error page 100% reliable, since we have a few technical limitations in detecting if the system clock is too far in the future.

Dana, do you think we'll have to add this error code to the list of sites that get the "wrong system clock" treatment?
Assignee: jhofmann → nobody
Flags: needinfo?(dkeeler)
Whiteboard: [cert-errors][triage]

    
    

    
  
@jhofmann@mozilla.com 
I changed the date from 9/14/2018 to 9/11/2017. Time is the same.

    
    

    
  
I don't think that's directly due to an incorrect clock - from my reading of the code, we only return that error when the response was signed by a delegated certificate but the response doesn't contain a certificate that matches the responder ID in the response (see https://searchfox.org/mozilla-central/rev/6c82481caa506a240a626bb44a2b8cbe0eedb3a0/security/pkix/lib/pkixocsp.cpp#243 ).
Flags: needinfo?(dkeeler)

    
    

    
  
Damira, what happens if you set your clock back much further than 2017? e.g. 1990?
Flags: needinfo?(dakhmedova)

    
    

    
  
I changed to 1990 and got the following error code. I attached screenshot
Flags: needinfo?(dakhmedova)

    
    

    
  

      
      
      
      

        Attached image
          
        1990.png
      

    


  

    
    

    
  
Yeah, so I'd recommend you to always set the clock back a little further than just a year. To be clear, our project is not about detecting 100% of all system clock skew errors, but rather showing a good error pages in those cases where we are 100% certain that it's because of system clock skew.

Not sure if we can close this or whether we still want to consider giving SEC_ERROR_OCSP_INVALID_SIGNING_CERT a special treatment if the system clock is off.
Blocks: better-cert-errors
No longer blocks: 1463693
Priority: -- → P3
Summary: New Clock error page doesn't look like its expected. → Do we need to include SEC_ERROR_OCSP_INVALID_SIGNING_CERT in the clock skew errors?
Whiteboard: [cert-errors][triage] → [cert-errors]
Depends on: 1486551
Summary: Do we need to include SEC_ERROR_OCSP_INVALID_SIGNING_CERT in the clock skew errors? → Include revocation errors in the clock skew errors list

    
  
See Also:  → 1539116

    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: