"Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign" message has non-replaced variable {$hostname}
Categories
(Firefox :: Security, defect, P2)
Tracking
()
People
(Reporter: pokechu022, Assigned: serg)
References
(Regression)
Details
(Keywords: regression)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Steps to reproduce:
I went to https://moj.gov.lr/ (specifically https://moj.gov.lr/data/uploads/images/flag-of-the-three-counties-of-hub-one-region-bong-lofa-nimba-counties-along-with-the-united-nations-and-liberia-flags-been-hosted-at-hub-1.jpg) and got a security warning. This site has a certificate "verified by" GeoTrust Inc., and the certificate expired on Friday, February 10, 2017.
Actual results:
The info in the security warning read:
Firefox detected a potential security threat and did not continue to moj.gov.lr. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. {$hostname} uses a certificate from one of these authorities and so the website’s identity cannot be proven.
Expected results:
{$hostname}
in the second paragraph should have been replaced with moj.gov.lr
.
Comment 1•3 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Reporter | ||
Comment 2•3 years ago
|
||
I think the cause is that https://github.com/mozilla/gecko-dev/blob/7aa8b3a2e4d7325e5494335247e5326ea2740de8/browser/base/content/aboutNetError.js#L859-L865 should have { hostname: HOST_NAME }
instead of just { HOST_NAME }
, but I'm not 100% sure.
I'm unable to reproduce on Nightly 86.0a1 (2020-12-24) (64-bit), as I get SEC_ERROR_UNKNOWN_ISSUER
instead of MOZILLA_PKIX_ERROR _ADDITIONAL_POLICY_CONSTRAINT_FAILED
. However, it seems like the same code still exists.
Comment 3•3 years ago
|
||
Ouch, thanks for catching that.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 4•3 years ago
|
||
We should make sure we check for the hostname in the test. I'll also file a fluent bug to make omitting replaced variables crash on debug / nightly builds.
Comment 5•3 years ago
|
||
That's a great idea, Gijs!
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment hidden (off-topic) |
Assignee | ||
Comment 7•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Pushed by sgalich@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f348b88872e7 fix hostname in MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED error message r=Gijs
Comment 9•2 years ago
|
||
bugherder |
Updated•2 years ago
|
Description
•