Closed Bug 1867771 Opened 1 year ago Closed 1 year ago

Misleading error message when accessing a site whose CA certificate is not trusted for websites

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 120
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: twic, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0

Steps to reproduce:

As described in this Firefox support question: https://support.mozilla.org/en-US/questions/1432196

I was trying to reach an internal company website (<redacted>), with a certificate chain rooted in a company certificate authority. I got an error message looking like this (between the ~~~s):

Someone could be trying to impersonate the site and you should not continue.

Web sites prove their identity via certificates. Firefox does not trust <redacted> because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

View Certificate

The intermediate and root certificates were already installed on my machine (in /etc/ssl/certs), and had been picked up by Firefox and added to its list of authorities, so i was baffled.

Mike Kaply kindly replied to pass on the hint that i check whether the CA certificates were trusted for websites. They were not! After i checked the box to trust them, everything worked fine.

Actual results:

The error message said of the internal website that that "its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates", none of which were true.

Expected results:

The error message should have said something like "its certificate issuer is known, but not trusted to issue certificates for websites".

Alternatively, the certificates could have been trusted for websites from the beginning. As far as i can tell, other software on my machine assumes everything in /etc/ssl/certs is trusted to sign certificates used with HTTPS.

In general, it's not possible to distinguish between "you unchecked the 'trust this certificate' box" and "there exists a path to a trusted certificate, but either the certificate isn't installed and trusted, or the right intermediates aren't available".

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX

If this particular situation can't be distinguished, could the generic error message be changed to include it? For example to:

"its certificate issuer is unknown or not trusted to issue certificates for websites, the certificate is self-signed, or the server is not sending the correct intermediate certificates"

The error message as it stands doesn't describe the actual problem, and didn't help me to fix it.

I'll pass the suggestion along to our UX team, who are currently working on these error messages.

Hello again. My company tell me that they would prefer that our internal domain names are not mentioned in public (the <redacted> which occurs twice in the description). Could an admin either redact the domain name, or limit the visibility of this bug? Thank you.

Thank you so much!

And thank you for getting the corresponding forum thread sorted out too.

You need to log in before you can comment on or make changes to this bug.