Open Bug 1539123 Opened 10 months ago Updated 8 months ago

"Incorrect clock" SSL warning changes to MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE when clicking "More Information" after fixing clock

Categories

(Firefox :: Security, defect, P3)

66 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: public, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(4 files)

Attached image intial-warning.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

  1. Change system clock to last year
  2. Navigate to a HTTPS site
  3. Note the warning advising to fix the system clock
  4. Fix the system clock as advised
  5. Click "More Information" button
  6. Note that the warning changed slightly

Actual results:

The warning page changes to become a more serious warning (yellow border included), as it no longer seems to be sure that the issue is with the system clock (despite the issue actually being resolved now). Additionally the warning is slightly broken as the date is missing in the sentence: "Your computer clock is set to ."
This happens whenever you press the "More Information" button to either expand or collapse the extra details.

Expected results:

The warning shouldn't change to a different warning, as the page hasn't been reloaded yet.

Attached image expected-result.png

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
20190322013140

(In reply to Matt from comment #0)

  1. Note the warning advising to fix the system clock

I can't reproduce this with the following STR:

  1. Set system date to last year.
  2. Start Firefox in a brand new profile.
  3. https://duckduckgo.com

AR
Secure Connection Failed

An error occurred during a connection to duckduckgo.com. The OCSP response is not yet valid (contains a date in the future). Error code: SEC_ERROR_OCSP_FUTURE_RESPONSE

It's the same with https://www.mozilla.org while https://en.wikipedia.org shows SEC_ERROR_OCSP_INVALID_SIGNING_CERT instead.
Correcting the system date and clicking the "Try Again" buttons loads the pages normally.

Component: Untriaged → Security
Summary: "Incorrect clock" SSL warning changes when clicking "More Information" after fixing clock → "Incorrect clock" SSL warning changes to MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE when clicking "More Information" after fixing clock

It seems that sites that use OCSP stapling overwrite the user-friendly clock warning with a cryptic one, you'll need to try a site that doesn't use it, such as https://badssl.com (or one of the valid sub-domains if you already have the cert cached), and perhaps set the date to be earlier (2000) as the cert is still valid in 2018.

Attached video reproduction.mp4

Recording on the current nightly (2019-03-26) on badssl.com

Prathiksha is re-working a lot about these pages right now and might fix this on the way. We should check back some time later.

Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.