Closed Bug 1714582 Opened 5 years ago Closed 4 years ago

[Bug] After clicking on "Accept the Risk and Continue" in the notification "Secure Connection Failed", Firefox for Android marks untrusted by any reason HTTPS site connection as secure

Categories

(GeckoView :: General, defect, P1)

Unspecified
Android
defect

Tracking

(firefox92 fixed)

VERIFIED FIXED
92 Branch
Tracking Status
firefox92 --- fixed

People

(Reporter: petru, Assigned: bugzilla)

References

Details

(Whiteboard: [geckoview:m92])

Attachments

(2 files)

From github: https://github.com/mozilla-mobile/fenix/issues/19799.

Steps to reproduce

  1. Open any untrusted site with HTTPS connection using Firefox for Mobile (for example, badssl.com).
  2. Skip notification "Secure Connection Failed" by clicking on "Accept the Risk and Continue"
  3. Look at the security icon and status

Expected behavior

Firefox for Android defines connection as unsecure even with security exception, like Firefox for Desktop

Actual behavior

Firefox for Android defines connection and site's certificate as fully secure and misleads the user

Device information

  • Device vendor / model and Android version: Samsung Galaxy A20s (ARM64) with Android 10, Samsung Galaxy J2 Prime (ARMv7) with Android 6.0.1
  • Firefox for Android version: 89.1.1, 90.0.0-beta.1

Screenshots





(how it looks at Samsung Galaxy A20s)





(how it looks at Samsung Galaxy J2 Prime)

Video

https://user-images.githubusercontent.com/85299944/120673075-87aa6c00-c49b-11eb-9367-89233e267de8.mp4

Change performed by the Move to Bugzilla add-on.

Following these steps I see this sending to AndroidComponents here that "securityInfo.isSecure == true" hence the app showing that session as being secure.

Severity: -- → S3
Priority: -- → P1
Severity: S3 → --
Priority: P1 → --
Severity: -- → S3
Priority: -- → P1
Whiteboard: [geckoview:m92]
Assignee: nobody → aklotz
Status: NEW → ASSIGNED

Two issues:

  1. We were missing the originAttributes argument to nsICertOverrideService.hasMatchingOverride.
  2. If the override does exist, we should flagging it as insecure.

I also enhanced a test to check this.

Pushed by aklotz@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bdd3b02b105a Ensure that cert error overrides do not mistakenly flag a connection as secure; r=geckoview-reviewers,owlish
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
Flags: qe-verify+

This is still reproducible for private sessions. In both Focus and Firefox private mode.

Attached image untrusted1.png

Verified as fixed on the latest Nightly 109.0a1 from 22/11 with Sony Xperia (Android 6.0.1). Firefox for Android defines connection as unsecure in normal and private browsing.

Status: RESOLVED → VERIFIED
Flags: qe-verify+ → qe-verify-
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: