Closed Bug 1684190 Opened 3 years ago Closed 2 years ago

"Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign" message has non-replaced variable {$hostname}

Categories

(Firefox :: Security, defect, P2)

Product:
Firefox
Component:
Security
Version:
Firefox 84
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- fixed

People

(Reporter: pokechu022, Assigned: serg)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Untrusted.PNG
40.02 KB, image/png
Details
Bug 1684190 - fix hostname in MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED error message r=gijs!
48 bytes, text/x-phabricator-request
Details | Review
Attached image Untrusted.PNG

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Steps to reproduce:

I went to https://moj.gov.lr/ (specifically https://moj.gov.lr/data/uploads/images/flag-of-the-three-counties-of-hub-one-region-bong-lofa-nimba-counties-along-with-the-united-nations-and-liberia-flags-been-hosted-at-hub-1.jpg) and got a security warning. This site has a certificate "verified by" GeoTrust Inc., and the certificate expired on Friday, February 10, 2017.

Actual results:

The info in the security warning read:

Firefox detected a potential security threat and did not continue to moj.gov.lr. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. {$hostname} uses a certificate from one of these authorities and so the website’s identity cannot be proven.

Expected results:

{$hostname} in the second paragraph should have been replaced with moj.gov.lr.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core

I think the cause is that https://github.com/mozilla/gecko-dev/blob/7aa8b3a2e4d7325e5494335247e5326ea2740de8/browser/base/content/aboutNetError.js#L859-L865 should have { hostname: HOST_NAME } instead of just { HOST_NAME }, but I'm not 100% sure.

I'm unable to reproduce on Nightly 86.0a1 (2020-12-24) (64-bit), as I get SEC_ERROR_UNKNOWN_ISSUER instead of MOZILLA_PKIX_ERROR _ADDITIONAL_POLICY_CONSTRAINT_FAILED. However, it seems like the same code still exists.

Component: Security: PSM → Security
Product: Core → Firefox

Ouch, thanks for catching that.

Assignee: nobody → jhofmann
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: regression
Priority: -- → P2
Regressed by: 941354
Has Regression Range: --- → yes

We should make sure we check for the hostname in the test. I'll also file a fluent bug to make omitting replaced variables crash on debug / nightly builds.

Flags: in-testsuite?

That's a great idea, Gijs!

See Also: → 1685180
Assignee: nobody → sgalich
Status: NEW → ASSIGNED
Flags: needinfo?(sgalich)
Pushed by sgalich@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f348b88872e7
fix hostname in MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED error message r=Gijs

https://hg.mozilla.org/mozilla-central/rev/f348b88872e7

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox105: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: