Closed Bug 1601735 Opened 5 years ago Closed 5 years ago

Untrusted and expired cert shows expiry message that implies it is trusted

Categories

(Firefox :: Security, defect, P3)

Product:
Firefox
Component:
Security
Version:
70 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1524323

People

(Reporter: u652468, Unassigned)

Details

Attachments

(5 files)

Expired but otherwise OK
744.17 KB, image/png
Details
Expired but otherwise OK (advanced box open)
784.72 KB, image/png
Details
Unknown issuer and expired
693.94 KB, image/png
Details
Unknown issuer and expired (advanced box open)
756.87 KB, image/png
Details
EXPECTED advanced text
755.06 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Create a self-signed certificate that expires yesterday.
Start MITM attack.
(Or connect to router settings page with expired, self-signed certificate over https)

Actual results:

User connects and sees potential security risk screen and clicks advanced.
"Websites prove their identity via certificates, which are valid for a set time period. The certificate for <website> expired on <yesterday>."
They assume the site forgot to renew their certificate which only expired yesterday, so they ignore the error and continue.

Below the message is the more important information: "Error code: SEC_ERROR_UNKNOWN_ISSUER", but the user is unlikely to read this as it has less details and is usually (and should probably always be) redundant.
I saw this on a page for 192.168.200.1 which expired on 9/6/2006, but I assume the date and domain make no difference.

Expected results:

The user should at least be primarily warned that the certificate is untrusted as the expiration date is irrelevant if we don't trust it anyway. The error code seems to be handled appropriately, but the message provided with it is not.

I signed in through github and wasn't aware my email would be made public. Please let me know once it's ok to disable my account.

This also occurs on desktop version 70 and desktop 68.2.0esr, however 68.2.0esr on Android (as Fennec F-Droid) shows "<website> uses an invalid security certificate. The certificate is not trusted because it is self-signed."

The text you've quoted is from the "Advanced" box once you've expanded it. Just so everyone's on the same page I'll include some STR that don't require generating a cert and running a server, and follow with some resulting screenshots.

  1. Set your system clock far in the future. For the sites below Nov 2021 or later is currently fine.
  2. Visit https://badssl.com/
  3. Click the Advanced button (do NOT add the exception)
  4. Visit https://untrusted-root.badssl.com/
  5. Click the Advanced button (do NOT add the exception)

https://badssl.com/ has a perfectly fine certificate that currently expires in Oct 2021. Step 2 shows the main text which talks about the cert being expired and your clock being wrong. The advanced box has the text "s" quotes in comment 0 but the error code SEC_ERROR_EXPIRED_CERTIFICATE.

unrusted-root.badssl.com will have an untrusted cert that is also expired. The main text will talk about the server being misconfigured. The Advanced box will be as described in comment 0.

When there are multiple errors we correctly show the main page and error code of the "worst" error (expired is always least worst), but we select the wrong text for the Advanced box. We can hope that people follow our "Go Back" recommendation, and hope that advanced people will look at the error code, but we should fix the text because that's a lot of wishful thinking :-)

This doesn't need to be hidden as a security bug because knowing about the problem will help people more than it will help attackers (no decent attacker is going to take the risk on an interstitial error page alerting suspicions). I've moved it to MoCo confidential until "s" can change their email.

s: disabling your account will not hide your email. You may be able to file a request to have your account deleted entirely (I think the ability to do that is a GPDR requirement, but I'm not sure) but it may be easier to change your account's email address to some throwaway-mail service like mailinator. Has to be real enough that you can verify receipt of mail at that address. Like many other sites we might block some of the obvious services (like mailinator) so YMMV.

needinfo Johann since he worked on these pages and might know if someone else has taken over since.

Group: firefox-core-security → mozilla-employee-confidential
Status: UNCONFIRMED → NEW
status-firefox71: --- → affected
status-firefox72: --- → affected
status-firefox73: --- → affected
status-firefox-esr68: --- → ?
Component: Untriaged → Security
Ever confirmed: true
Flags: needinfo?(jhofmann)
Whiteboard: keep confidential until reporter's email is changed
Version: 71 Branch → 70 Branch

Thanks for all your work on this. The account page says disabling removes email, but I changed it too just in case (an option which I somehow missed before).

Ok, opening up then. I feel like there's a dupe of this somewhere already.

Blocks: better-cert-errors
Group: mozilla-employee-confidential
Flags: needinfo?(jhofmann)
Keywords: dupeme
Priority: -- → P3
Whiteboard: keep confidential until reporter's email is changed

Ah, yes.

No longer blocks: better-cert-errors
Status: NEW → RESOLVED
Closed: 5 years ago
Keywords: dupeme
Resolution: --- → DUPLICATE

Thank you for reporting this in detail.
I learned to rely on these explanation texts. I almost clicked through a "bening expiration warning"

I am not very happy that this got duped to 1524323, which fails to recognize the security implication

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: