Closed Bug 1760770 Opened 3 years ago Closed 2 years ago

Secure connection failed when accessing aide.laposte.fr

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Platform:
Unspecified
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1520297

People

(Reporter: petru, Unassigned)

References

Details

From github: https://github.com/mozilla-mobile/focus-android/issues/6710.

Steps to reproduce

  1. Navigate to: https://aide.laposte.fr/contenu/validite-des-timbres-apres-un-changement-de-tarif.
  2. Observe the result.

Expected behavior

The page loads as expected.

Actual behavior

A "Secure connection failed" message is displayed.

Device information

  • Operating System: Android 11
  • Android device: Samsung A51 (Android 11) -1080 × 2400 pixels 20:9 aspect ratio (~405 ppi density)
  • Focus version: Firefox Focus Nightly 100.0a1 (360770507-🦎100.0a1-20220317092857🦎)

Notes:

  1. Reproducible regardless of the status of ETP.
  2. Not reproducible using the latest build of Firefox Nightly in Normal Browsing Mode and in Private Browsing Mode.
  3. Reproducible on both Release and Nightly Version of Firefox Focus.
  4. Screenshot attached:

Change performed by the Move to Bugzilla add-on.

Issue happens on Fenix and GVE also but interestingly not on desktop.
See https://github.com/mozilla-mobile/focus-android/issues/6710#issuecomment-1074983974

The issue is not reproducible on my side on Fenix and GVE running Android 11, but it is reproducible on devices running Android 12:

https://prnt.sc/WbGtz7Y23a0y

Tested with:

Browser / Version: Firefox Nightly 100.0a1 (2015870107 -🦎100.0a1-20220321065848🦎)
Operating System: Samsung A51 (Android 11) -1080 × 2400 pixels 20:9 aspect ratio (~405 ppi density)
Operating System: Google Pixel 3 (Android 12) -1080 x 2160 pixels, 18:9 ratio (~443 ppi density)

This site is configured incorrectly: it is sending an incomplete chain of certificates. See
https://www.ssllabs.com/ssltest/analyze.html?d=aide.laposte.fr ("This server's certificate chain is incomplete. Grade capped to B.")

On Desktop we have a remote-settings dataset that contains the "known intermediates" to address this unfortunately common misconfiguration. The file is very large with occasional updates so I can easily believe we might not send it to Android.

This is not an Android 12 problem. The reason this worked for your other Android 11 profiles is because you've used them more. The Root certificate in this case is GlobalSign which is one of the well-known ones. It's quite likely that you've previously surfed to another site with a GlobalSign certificate in this session, so your Android 11 profiles have cached copies of the intermediate and we're able to construct a valid certificate chain even though the site is not providing it.

Workaround:

  1. visit https://www.globalsign.com
  2. now open aide.laposte.fr and it should work fine (at least until the TLS cache expires)

This needs to be fixed by the site. Unfortunately, it was already somewhat difficult to get sites to care; now that desktop Firefox has a workaround (as do other browsers) they have even less reason to care :-(

Component: DOM: Security → Mobile
Product: Core → Web Compatibility
See Also: → 1789395
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Component: Mobile → Site Reports
You need to log in before you can comment on or make changes to this bug.