Revoked certificates not trapped
Categories
(Firefox for Android :: Browser Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox120 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | unaffected |
People
(Reporter: boek, Unassigned)
Details
Attachments
(1 file)
|
133.52 KB,
image/png
|
Details |
NotSecure.png
From github: https://github.com/mozilla-mobile/fenix/issues/20226.
Firefox Nightly (and most likely all editions) does not trap revoked certificates when such a site is visited (test facility to be provided in an update). This is highly concerning since the revolution of a certificate should be brought to the user's attention as it can indicate some concerning reasons why this was done, such as a previously OK site having gone rogue for whatever reason. Note that I have yet to find a browser, Firefox or otherwise, that actually handles revoked certificates. However, just because everyone fails does not mean Firefox should copy a bad habit, a habit that, according to the following link, goes way back...
https://www.zdnet.com/article/major-linux-rpm-problem-uncovered/
My suggestion: make all editions of Firefox warn on revoked certificates by default.
┆Issue is synchronized with this Jira Task
Change performed by the Move to Bugzilla add-on.
|
||
Comment 2•2 years ago
|
||
I cannot reproduce this issue in latest Firefox for Android versions:
- Nightly 122.0a1 from 12/11
- Beta 121.0b9
- RC 120.1.1
"Connection is not secure" is displayed for both websites https://revoked.badssl.com/ and https://revoked.grc.com/ in Fenix.
Tested with Samsung Galaxy A53 5G (Android 14).
|
|
||
Updated•2 years ago
|
Description
•