Open Bug 1817868 Opened 3 years ago Updated 3 years ago

inconsistent messaging around security of connections with certificate error overrides

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
Firefox 110
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- affected
firefox110 --- affected
firefox111 --- affected
firefox112 --- affected

People

(Reporter: firefox, Unassigned)

Details

Attachments

(3 files)

first
9.98 KB, image/png
Details
second
15.91 KB, image/png
Details
third - so is it secure or is it not as the first image says?!
85.98 KB, image/png
Details
Attached image first

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0

Steps to reproduce:

  1. Went to Ubiquity Edge Router X that uses self-signed certificate

Actual results:

Firefox says connection is not secure, when opposite is correct. Probably due to accepted self-signed exception?

Expected results:

Connection is secure correctly stated even for self-signed accepted exceptions.

Attached image second

This is where mostly some UI cleanup / wording change is needed.

So this is mostly UI issue with different messages when the actual SSL is self-signed and accepted and while HTTPS connection is completely secure. Firefox states confusingly otherwise.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → Security
Product: Core → Firefox
Summary: Connection is not secure for self-signed SSL certificate via secure HTTPS → inconsistent messaging around security of connections with certificate error overrides

Adding the Qa not actionable tag for now. We currently dont have an Ubiquity Edge Router X router in order to reach that setup page.

QA Whiteboard: [qa-not-actionable]

It should be possible to repeat and see this for any self-signed page. I haven't tried.

Also, I can provide the link for testing, but not publicly.

You can reproduce the issue with e.g. https://wrong.host.badssl.com/.

I was able to reproduce this issue using the link from Comment 8, after accepting the risk and continued it would show Connection not secure but in the panel it shows that the connection is encrypted.
Thank you @Dana for the help.

Severity: -- → S3
Status: UNCONFIRMED → NEW
status-firefox110: --- → affected
status-firefox111: --- → affected
status-firefox112: --- → affected
status-firefox-esr102: --- → affected
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: