Closed Bug 1598907 Opened 5 years ago Closed 5 years ago

Spurious HSTS failure with "MITM detection" on valid DigiCert signed certificate.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1593167

People

(Reporter: philippkorber, Unassigned)

Details

Attachments

(1 file)

bad_slack_com.crt
2.50 KB, application/x-x509-ca-cert
Details
Attached file bad_slack_com.crt

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Open firefox and try to connect to any website with HSTS enabled and a certificate signed by DigiCert (like bugzilla.mozilla.org, slack.com, etc.).

Actual results:

somtimes the connection fails with a MITM detection failure warning (which some text about it being cause by HSTS), but the certificate is exactly the same as when connection before/after where it does not happen. Restarting firefox seem to help sometimes, but I also had a situation where it went away by itself after ~30 min. It should be noted that I exported the used "bad" certificates and used "good" certificates of some sites (e.g. slack) and the certificate used when getting a MITM error and the one used when not getting one and they are exactly the same.

It should be noted that this happens independent of network (home, edurom, caffe, hotspot), and at last Firefox for Android doesn't has the problems of the same network.

I just realized it might correlate if Firefox has not internet when being started, but I'm not sure and will look out for this.

I attached the exported certificate for slack which was used in both a situation where Firefox believed it was a MITM/bad HSTS and when it believed everything is fine.

Expected results:

  1. If there is a MITM / bad HSTS certificate it should not be the same certificate as when the same browser believes HSTS is fine (I think).
  2. If there is no MITM / bad HSTS the connection should not fail spuriously with a warning that there is one.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core

The exact error code was MOZILLA_PKIX_ERROR_MITM_DETECTED (if I'm not wrong, I should have written it down, sorry, but it had PKI and MITM in the name, so if there is no other very similar error it was that one).

Also this happens on Linux and no proxy or meddlesome antivirus software was used.

I just realized it might correlate if Firefox has not internet when being started, but I'm not sure and will look out for this.

I tried to reproduce this using this idea as a basis and failed, so maybe it's not directly related. Still the bug hit's me pretty often In a spurious way, so I'm not sure how to intentionally trigger it.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: