Open Bug 1795155 Opened 3 years ago Updated 1 year ago

Add more specific messages for bad SSL certificate errors

Categories

(Firefox for Android :: Browser Engine, task)

Product:
Firefox for Android
Component:
Browser Engine
Platform:
All
Android
Type:
task

Tracking

()

People

(Reporter: csadilek, Unassigned)

Details

From github: https://github.com/mozilla-mobile/android-components/issues/6600.

Desktop Firefox can display various messages specific to the kind of the bad SSL certificate error that occurred. It would be nice if Android Components also supported this functionality. Currently there is only one error message that is displayed in all cases; however, in some cases it may not be informative enough for the app user.

For the context and more information, see this bug

┆Issue is synchronized with this Jira Task

Change performed by the Move to Bugzilla add-on.

The severity field is not set for this bug.
:cpeterson, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(cpeterson)
Severity: -- → N/A
Type: defect → task
Flags: needinfo?(cpeterson)

This is especially problematic in combination with the inability to view certificates (bug #1813945). I assume there is a reason why the error pages (and associated logic for selecting amongst them) from desktop can't just be used with a different stylesheet?

This probably belongs in "Fenix|Browser Engine" ("Bugs related to web pages, prompts, error messages, ..."). --> Reclassifying.

Here's a sample site to test this -- this triggers an error page that's insufficient in Fenix, vs. much clearer on Desktop:
https://subdomain.preloaded-hsts.badssl.com/

In Firefox on Desktop, that^ URL gives me an error page with:

Did Not Connect: Potential Security Issue
[blurb about HSTS requiring a secure connection]
[Advanced]

...and the "[Advanced]" button expands to tell me that the site used a certificate that was not valid for the requested domain (but is valid for domain $B). This is quite-useful diagnostic information to figure out what's going wrong and why I'm seeing this error page.

Whereas in Fenix on Android, I see a simpler error page without that advanced diagnostic information about the domain mismatch:

This website requires a secure connection.
[3 bullet points about secure connections and this potentially being a website bug]
[Advanced]

On Fenix, the "Advanced" button just expands to give me a generic blurb about HSTS requiring a secure connection. It doesn't tell me that there was a domain mismatch or what the domain in the certificate is.

I hit this in the real world today, using a public WiFi network that happens to block access to GitHub, for whatever reason, which resulted in me landing on this error page. It turns out this network's interception system happens to perform its content-blocking by trying to return their own web content, signed with a certificate provided by Securly that's only valid to sign *.securly.com URLs. Firefox-for-Desktop helps me discover what's going on using the advanced button as noted above, but Fenix does not.

Component: General → Browser Engine
You need to log in before you can comment on or make changes to this bug.