Closed Bug 1569395 Opened 5 years ago Closed 5 years ago

After bug 1500533, http://mitm.watch displays "Likely Mitm!" when using Private Browsing

Categories

(Core :: Networking, defect)

68 Branch
Desktop
All
defect
Not set
normal

Tracking

()

RESOLVED INVALID
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix

People

(Reporter: yahawe, Unassigned)

References

(Regression)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3860.5 Safari/537.36

Steps to reproduce:

This Bug is reproducible in Firefox ESR to Nightly.

Step 1:
Open Firefox 68.01 ESR.

Step 2:
Open Private Mode. (Ctrl + Shift + P)

Step 3:
Visit (https://mitm.watch) website. It shows whether the connection is being compromised by MITM or not.)

Step 4:
The Result is (Likely MITM!).

Following the above steps gives the same result everytime and it doesn't solve by:

  1. Deleting All History and Data.
  2. Deleting Profile.
  3. Deleting Firefox completly (with profile) and re-installing it.

The Screenshots:
https://send.firefox.com/download/158a3389018bb547/#390t6fNrncn62FQRhq6THA

Actual results:

The Result shows (Likely MITM! on the website).

Expected results:

The website should show (No MITM!) because when using Chrome, it is not reproducible.

Here is the video:
https://youtu.be/Z3a_dqTxDS4 (Youtube)

Here is the Raw Data of my Firefox installation:

Application Basics

Name: Firefox
Version: 68.0.1esr
Build ID: 20190717193731
Update Channel: esr
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
OS: Windows_NT 10.0
Launcher Process: Enabled
Multiprocess Windows: 1/1 Enabled by default
Remote Processes: 4
Enterprise Policies: Inactive
Google Location Service Key: Found
Google Safebrowsing Key: Found
Mozilla Location Service Key: Found
Safe Mode: false

Crash Reports for the Last 3 Days

Firefox Features

Name: Firefox Monitor
Version: 3.0
ID: fxmonitor@mozilla.org

Name: Firefox Screenshots
Version: 39.0.0
ID: screenshots@mozilla.org

Name: Form Autofill
Version: 1.0
ID: formautofill@mozilla.org

Name: Web Compat
Version: 4.3.2
ID: webcompat@mozilla.org

Name: WebCompat Reporter
Version: 1.1.0
ID: webcompat-reporter@mozilla.org

Remote Processes

Type: Web Content
Count: 2 / 8

Type: Extension
Count: 1

Type: GPU
Count: 1

Extensions

Name: Amazon.co.uk
Version: 1.1
Enabled: true
ID: amazon@search.mozilla.org

Name: Bing
Version: 1.0
Enabled: true
ID: bing@search.mozilla.org

Name: Chambers (UK)
Version: 1.0
Enabled: true
ID: chambers-en-GB@search.mozilla.org

Name: DuckDuckGo
Version: 1.0
Enabled: true
ID: ddg@search.mozilla.org

Name: eBay
Version: 1.0
Enabled: true
ID: ebay@search.mozilla.org

Name: Google
Version: 1.0
Enabled: true
ID: google@search.mozilla.org

Name: Twitter
Version: 1.0
Enabled: true
ID: twitter@search.mozilla.org

Name: Wikipedia (en)
Version: 1.0
Enabled: true
ID: wikipedia@search.mozilla.org

Security Software

Type: Windows Defender Antivirus

Type: Windows Defender Antivirus

Type: Windows Firewall

Graphics

Features
Compositing: Direct3D 11 (Advanced Layers)
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled
WebGL 1 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 000000000001324f) EGL_VERSION: 1.4 (ANGLE 2.1.0.8a050090f926) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context
WebGL 1 Driver Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0)
WebGL 1 Driver Version: OpenGL ES 2.0 (ANGLE 2.1.0.8a050090f926)
WebGL 1 Driver Extensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_disjoint_timer_query EXT_float_blend EXT_frag_depth EXT_shader_texture_lod EXT_sRGB EXT_texture_compression_bptc EXT_texture_filter_anisotropic OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info: EGL_VENDOR: Google Inc. (adapter LUID: 000000000001324f) EGL_VERSION: 1.4 (ANGLE 2.1.0.8a050090f926) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_ANDROID_blob_cache EGL_ANDROID_recordable EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context
WebGL 2 Driver Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0)
WebGL 2 Driver Version: OpenGL ES 3.0 (ANGLE 2.1.0.8a050090f926)
WebGL 2 Driver Extensions: GL_ANGLE_client_arrays GL_ANGLE_copy_texture_3d GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_memory_size GL_ANGLE_multi_draw GL_ANGLE_multiview_multisample GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_provoking_vertex GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_multisample GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_func_extended GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_float_blend GL_EXT_frag_depth GL_EXT_instanced_arrays GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_bptc GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_border_clamp GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object GL_OVR_multiview2 OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
WebGL 2 Extensions: EXT_color_buffer_float EXT_disjoint_timer_query EXT_float_blend EXT_texture_compression_bptc EXT_texture_filter_anisotropic OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
Direct2D: true
Off Main Thread Painting Enabled: true
Off Main Thread Painting Worker Count: 3
Target Frame Rate: 60
DirectWrite: true (10.0.17763.615)
GPU #1
Active: Yes
Description: Intel(R) HD Graphics 520
Vendor ID: 0x8086
Device ID: 0x1916
Driver Version: 25.20.100.6518
Driver Date: 1-9-2019
Drivers: igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32
Subsys ID: 00000000
RAM: Unknown
GPU #2
Active: No
Description: AMD Radeon (TM) R5 M330
Vendor ID: 0x1002
Device ID: 0x6660
Driver Version: 22.19.162.4
Driver Date: 4-24-2017
Drivers: aticfx64 aticfx64 aticfx64 amdxc64 aticfx32 aticfx32 aticfx32 amdxc32 atiumd64 atidxx64 atidxx64 atiumdag atidxx32 atidxx32 atiumdva atiumd6a atitmm64
Subsys ID: 0000000c
RAM: 2048
Diagnostics
AzureCanvasBackend: direct2d 1.1
AzureCanvasBackend (UI Process): skia
AzureContentBackend: direct2d 1.1
AzureContentBackend (UI Process): skia
AzureFallbackCanvasBackend (UI Process): cairo
GPUProcessPid: 2968
ClearType Parameters: Gamma: 1.8 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50
Decision Log
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
WEBRENDER_QUALIFIED:
blacklisted by env: No qualified hardware

Media

Audio Backend: wasapi
Max Channels: 2
Preferred Sample Rate: 192000
Output Devices
Name: Group
Digital Audio (HDMI) (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8086&DEV_2809&SUBSYS_80860101&REV_1000\4&2e7968a5&0&0201
Speaker/Headphone (Realtek High Definition Audio): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Internal AUX Jack (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Headphones (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Speakers (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Input Devices
Name: Group
Microphone (Realtek High Definition Audio): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Internal AUX Jack (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_8086&DEV_2809&SUBSYS_80860101&REV_1000\4&2e7968a5&0&0201
Mic in at front panel (black) (Realtek High Definition Audio): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Microphone (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Microphone (Realtek High Definition Audio): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Microphone (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Stereo Mix (Realtek High Definition Audio): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001
Internal AUX Jack (High Definition Audio Device): HDAUDIO\FUNC_01&VEN_10EC&DEV_0282&SUBSYS_103C81EC&REV_1000\4&2e7968a5&0&0001

Important Modified Preferences

browser.cache.disk.amount_written: 7757
browser.cache.disk.capacity: 1048576
browser.cache.disk.filesystem_reported: 1
browser.sessionstore.upgradeBackup.latestBuildID: 20190717193731
browser.startup.homepage_override.buildID: 20190717193731
browser.startup.homepage_override.mstone: 68.0.1
browser.urlbar.placeholderName: Google
extensions.lastAppVersion: 68.0.1
gfx.crash-guard.status.wmfvpxvideo: 2
gfx.crash-guard.wmfvpxvideo.appVersion: 68.0.1
gfx.crash-guard.wmfvpxvideo.deviceID: 0x1916
gfx.crash-guard.wmfvpxvideo.driverVersion: 25.20.100.6518
layers.mlgpu.sanity-test-failed: false
media.benchmark.vp9.fps: 149
media.benchmark.vp9.versioncheck: 5
media.gmp-gmpopenh264.abi: x86_64-msvc-x64
media.gmp-gmpopenh264.lastUpdate: 1564182483
media.gmp-gmpopenh264.version: 1.8.1
media.gmp-manager.buildID: 20190717193731
media.gmp-manager.lastCheck: 1564227956
media.gmp-widevinecdm.abi: x86_64-msvc-x64
media.gmp-widevinecdm.lastUpdate: 1564182486
media.gmp-widevinecdm.version: 4.10.1440.18
media.gmp.storage.version.observed: 1
media.hardware-video-decoding.failed: false
network.predictor.cleaned-up: true
places.history.expiration.transient_current_max_pages: 112348
plugin.disable_full_page_plugin_for_types: application/pdf
privacy.cpd.offlineApps: true
privacy.cpd.siteSettings: true
privacy.sanitize.pending: [{"id":"newtab-container","itemsToClear":[],"options":{}}]
privacy.sanitize.timeSpan: 0
security.sandbox.content.tempDirSuffix: {ee1bd974-1fe6-4cfb-ae18-3cca4f3b6b20}
security.sandbox.plugin.tempDirSuffix: {48be5fac-163f-4c7f-bf16-8ff7eec538af}
services.sync.declinedEngines:
signon.importedFromSqlite: true
ui.osk.debug.keyboardDisplayReason: IKPOS: Touch screen not found.

Important Locked Preferences

Places Database

JavaScript

Incremental GC: true

Accessibility

Activated: false
Prevent Accessibility: 0
Accessible Handler Used: true
Accessibility Instantiator:

Library Versions

NSPR
Expected minimum version: 4.21
Version in use: 4.21

NSS
Expected minimum version: 3.44.1
Version in use: 3.44.1

NSSSMIME
Expected minimum version: 3.44.1
Version in use: 3.44.1

NSSSSL
Expected minimum version: 3.44.1
Version in use: 3.44.1

NSSUTIL
Expected minimum version: 3.44.1
Version in use: 3.44.1

Sandbox

Content Process Sandbox Level: 5
Effective Content Process Sandbox Level: 5

Internationalisation & Localisation

Application Settings
Requested Locales: ["en-GB"]
Available Locales: ["en-GB","en-US"]
App Locales: ["en-GB","en-US"]
Regional Preferences: ["en-US"]
Default Locale: "en-GB"
Operating System
System Locales: ["en-GB"]
Regional Preferences: ["en-US"]

Component: Untriaged → Security
OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Summary: MITM atttack in my Firefox (68.01 ESR to Nightly) → MITM atttack in my Firefox (68.01 ESR up to Nightly)

if you view the certificate on the mitm-watch site, what details does it contain?
https://support.mozilla.org/en-US/kb/secure-website-certificate

This is weird!
The certificate is somehow similar to original, when comparing MD5 and SHA-1 fingerprint with Firefox and Chrome.

Here is the video:
https://youtu.be/GCXeE9H1_wo

This bug can only be re-producible using ISP, Google, etc ordinary DNS Servers.
I live in very censorship sponsored country , so the ISP is somehow intercepting all DNS queries using DPI Firewall.
But when using Google Chrome, it is not re-producible. Why? Does Google Chrome implement different type of approach?

(In reply to [:philipp] from comment #2)

if you view the certificate on the mitm-watch site, what details does it contain?
https://support.mozilla.org/en-US/kb/secure-website-certificate

Does this prrovide sufficient information?

no, the certificate is the same as the genuine site is providing so based on that you couldn't tell that the connection would be man-in-the-middled or what else might be wrong unfortunately.

As I have said earlier, does this depend on how Firefox vs Chrome handle DNS queries? Such as OCSP (Firefox) vs CRLSET (Chrome).
I was also be able to re-produce this bug by enabling (DNS-over-https) and VPN too. However still not reproducible in Chrome.

I have also re-produced this bug in:

  1. Fresh Installation of Windows 10
  2. using different network connection (Ethernet vs Wifi)
  3. using different Telecom ISP (Broadband vs Mobile Hotspot)

I am not an expert in this field but looks like very complex or sophisticated type of MITM attack.

If this bug isn't re-producible due to technical limitations (specific to my case) I will mark this bug as Resolved.
Thanks!

See also https://caddyserver.com/docs/mitm-detection, which seems to be the original implementation. On my systems it says "MITM unlikely" in normal browsing and "MITM likely" in private windows, just like your URL.

It's not very clear how the detection is working. I noticed that using a VPN / DNS blocker makes it fail at times. In any case, there's no actual MITM happening, the test is probably very sensitive to something network-related.

There's a paper here.

I tried capturing a couple of TLS Client Hello messages. It seems that the Caddy implementation tends to flag the request as MITM more often while Wireshark is running, not sure why. The only differences were:

  • the flagged request had an empty session ticket extension and some padding at the end:

          Extension: session_ticket (len=0)
              Type: session_ticket (35)
              Length: 0
              Data (0 bytes)
    
  • the good one had no session ticket or padding, but had a pre-shared key at the end:

          Extension: pre_shared_key (len=156)
              Type: pre_shared_key (41)
              Length: 156
              Pre-Shared Key extension
                  Identities Length: 119
                  PSK Identity (length: 113)
                      Identity Length: 113
                      Identity: [redacted]
                      Obfuscated Ticket Age: 12XXX
                  PSK Binders length: 33
                  PSK Binders
    

I didn't close the browser between requests, so resuming an existing session is not unexpected.

I'm getting "No MITM!"

Firefox 69.0b8 (64-bit)
MacOS 10.14.5

(In reply to ezra@tsdme.nl from comment #12)

I'm getting "No MITM!"

Firefox 69.0b8 (64-bit)
MacOS 10.14.5

Sorry, in Private Mode I'm getting:

"Likely MITM"

I've found two STR. Ehsan, is this a bug on our side or should this be reported to Caddy / Cloudflare?

  1. Private Browsing + FirstPartyIsolation + https://
    Open a private window, load https://mitm.watch.
    mozregression --good 2019-01-10 --bad 2019-07-27 --pref privacy.firstparty.isolate:true browser.startup.homepage:'https://mitm.watch'

13:55.13 INFO: Last good revision: 3aa904e59c1bb6d6ea3ded4d8453db0ace13f189
13:55.13 INFO: First bad revision: 938a637c68f05534032b90a7bbb07c0c270711cf
13:55.13 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3aa904e59c1bb6d6ea3ded4d8453db0ace13f189&tochange=938a637c68f05534032b90a7bbb07c0c270711cf

938a637c68f05534032b90a7bbb07c0c270711cf Ehsan Akhgari — Bug 1500533 - Ensure that TLS session resumption tickets are only consumed if the channel isn't isolated by anti-tracking checks; r=michal,baku

  1. Private Browsing + http://
    mozregression --repo autoland --launch 938a637c68f05534032b90a7bbb07c0c270711cf --pref browser.privatebrowsing.autostart:true browser.startup.homepage:'http://mitm.watch'
Status: UNCONFIRMED → NEW
Has Regression Range: --- → yes
Has STR: --- → yes
Component: Security → Networking
Ever confirmed: true
Flags: needinfo?(ehsan)
Keywords: regression
OS: Windows 10 → All
Product: Firefox → Core
Regressed by: 1500533
Summary: MITM atttack in my Firefox (68.01 ESR up to Nightly) → After bug 1500533, http://mitm.watch displays "Likely Mitm!" when using Private Browsing

Look at what Caddy does in order to identify Firefox, it expects to see TLS extension type 35: https://github.com/caddyserver/caddy/blob/f5720fecd663f521d832c1bca69e52ece43dc2b1/caddyhttp/httpserver/mitm.go#L406. But for TorBrowser which disables TLS session tickets (similar to what we do for private browsing contexts now) it doesn't expect that. Looks like Caddy needs to be updated here, since their MITM detection is based on detecting the expected characteristics of the TLS traffic generated by browsers. Please report this issue to that project, thanks!

I'm going to close the bug here as I don't believe there is any action to be taken on our side, please feel free to reopen if the Caddy developers disagreed. Thanks!

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(ehsan)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.