Open Bug 1726981 Opened 4 years ago Updated 4 years ago

Misleading link on Security warning

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
Firefox 91
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox93 --- affected
firefox94 --- affected
firefox95 --- affected

People

(Reporter: aamackie, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

I went to a website with an expired certificate.

Actual results:

A "Warning: Potential Security Risk Ahead" page opened rather than the page with the invalid certificate. This contained what appears to be some generic boilerplate text and a link that appears to be for more information about the current error, but instead takes you to another page in a different tab about internet security in general.

Expected results:

The link should either function like the advanced button which similarly trails of in-ellipses to imply it will expand to tell you more about the current problem, or it should be rephrased to indicate that it is an external link and not part of the interface to the security warning.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → Security
Product: Core → Firefox

Hi A Mackie,
in order to reproduce the issue, can you specify in which website are you experiencing it?

Also, could you answer the following questions in order to further investigate this issue.

  1. Can you test the issue while in Safe Mode? (Safe Mode disables add-ons, extensions and themes, hardware acceleration and some JavaScript stuff in order to exclude some possible reasons for problems). You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode.

  2. Does this issue occur in the latest nightly version of firefox? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/

  3. Are you using any addons? If so, please list them. Please, can you go to Help -> More Troubleshooting Information and copy at least the "Add-ons" information into an attachment here?

If you are still able to reproduce it, please, share further information with us, like screenshots, screen recording, or more specific steps.

I let the selected component in order to get the dev team involved.
'Firefox-Security' team: if the component is not relevant please change it to a more appropriate one.

Regards.
Jerónimo.

Flags: needinfo?(aamackie)

I feel this is more a user interface thing than a true security issue. I was successfully protected against the actual security issue, the link to more information is just a little misleading.

I can't remember which site I went to, but this one successfully opens the page: https://expired.badssl.com/

Is to points 1-3, I am using many addons and unless the warning page has been revised recently I can't see why it would be different in the nightly build. I think things are largely working as designed, the link text had just caught me out a few times. I don't often visit sites with expired certificates, so I don't remember that the link doesn't mean what I think it does before I click on it.

Flags: needinfo?(aamackie)

Hi A Mackie,
sorry for the delay on this issue. I was able to reproduce the issue since I could understand it better. When you said in comment#1 :
This contained what appears to be some generic boilerplate text and a link that appears to be for more information about the current error, but instead takes you to another page in a different tab about internet security in general.

you were referring to 'Learn more...' link that leads to that another page.

I could reproduce the issue in Windows 10, in Nightly 95.0a1 (2021-10-18) (64-bit) and Release 93.0 versions as well.
I set this as Enhancement because it seems that link is intended to link to that page and inform the user in that matter.
I will set this as New for the developers to review, hopefully it will be taken into consideration and they could clarify us about this.

I let the assigned a component in order to get the dev team involved.
'Firefox-Security' team: if the component is not relevant please change it to a more appropriate one, or advise if this qualifies as a defect instead of enhancement,

Thanks.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Type: defect → enhancement
status-firefox93: --- → affected
status-firefox94: --- → affected
status-firefox95: --- → affected
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.