Open Bug 1951851 Opened 11 days ago Updated 13 hours ago

Secure certificate fails in FF128.8.0 esr

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 128
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: am3, Unassigned)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

Updated feom FF 128.7.0 esr to 128.8.0 esr.

Actual results:

Some sites failed to connect securely, with blocking and warning that a 'no overlap'. occured. Also, some 'verify as human' tests, notably from cloudflare, though the domain scores + using uBlockOrigin.
I note recent Chrome/Edge manifestos now disable ad-blockers. Google has suspended use without remediation, Microsoft allows toggling to reinstate.
The UPDATE WAS REVERTED to 128.7.0. This can lead to end-user security harms.

Expected results:

There should be accepteable secure connection overlap, as this update does not address SSL/TLS issues directly. Not sure of human verify tests but some portions of cloudflare domain IS registered as a privacy violation in uBlock (one of the ad-blockers disabled as above).

Which sites are failing to connect? What is the actual error that you see?

How are sites failing relate to Cloudflare? Is that a separate issue?

Changes to WebExtension support in Chrome seem irrelevant so I don't understand why you brought them up.

What is a "secure connection overlap"?

Flags: needinfo?(am3)
Group: firefox-core-security
Keywords: regression

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Error: no overlap at plinga-live.gop3.nl
No load error visiting random.org... the verify human test does not load

about:support changes listed...

accessibility.accesskeycausesactivation false
accessibility.typeaheadfind.autostart false
accessibility.typeaheadfind.enablesound false
accessibility.typeaheadfind.flashBar 0
accessibility.typeaheadfind.manual false
accessibility.typeaheadfind.prefillwithselection false
apz.doubletapzoom.defaultzoomin 1
apz.keyboard.passive-listeners false
apz.mac.enable_double_tap_zoom_touchpad_gesture false
apz.max_zoom 3.0
apz.min_zoom 0.33
browser.cache.disk.enable false
browser.contentblocking.category custom
browser.display.use_document_fonts 0
browser.display.use_document_fonts.icon_font_allowlist
browser.download.always_ask_before_handling_new_types true
browser.download.folderList 2
browser.download.useDownloadDir false
browser.search.region US
browser.search.suggest.enabled false
browser.sessionstore.interval 900000
browser.sessionstore.log.appender.file.logOnError false
browser.sessionstore.max_windows_undo 10
browser.sessionstore.upgradeBackup.latestBuildID 20250224130137
browser.startup.homepage https://duckduckgo.com
browser.startup.homepage_override.buildID 20241128151741
browser.startup.homepage_override.mstone 128.5.1
browser.tabs.crashReporting.sendReport false
browser.tabs.loadBookmarksInBackground true
browser.toolbars.bookmarks.visibility always
browser.urlbar.autoFill false
browser.urlbar.placeholderName DuckDuckGo
browser.urlbar.placeholderName.private DuckDuckGo
browser.urlbar.quicksuggest.allowPositionInSuggestions false
browser.urlbar.quicksuggest.contextualOptIn.topPosition false
browser.urlbar.quicksuggest.migrationVersion 2
browser.urlbar.quicksuggest.rustEnabled false
browser.urlbar.quicksuggest.scenario offline
browser.urlbar.recentsearches.lastDefaultChanged 1734244627630
browser.urlbar.richSuggestions.featureGate false
browser.urlbar.richSuggestions.tail false
browser.urlbar.showSearchSuggestionsFirst false
browser.urlbar.suggest.bookmark false
browser.urlbar.suggest.clipboard false
browser.urlbar.suggest.engines false
browser.urlbar.suggest.history false
browser.urlbar.suggest.mdn false
browser.urlbar.suggest.openpage false
browser.urlbar.suggest.pocket false
browser.urlbar.suggest.quicksuggest.nonsponsored false
browser.urlbar.suggest.quicksuggest.sponsored false
browser.urlbar.suggest.recentsearches false
browser.urlbar.suggest.remotetab false
browser.urlbar.suggest.searches false
browser.urlbar.suggest.topsites false
browser.urlbar.suggest.trending false
browser.urlbar.suggest.weather false
browser.urlbar.suggest.yelp false
doh-rollout.doneFirstRun true
doh-rollout.home-region US
doh-rollout.mode 2
doh-rollout.self-enabled true
doh-rollout.uri https://mozilla.cloudflare-dns.com/dns-query
dom.forms.autocomplete.formautofill true
dom.keyboardevent.keypress.hack.dispatch_non_printable_keys 127.0.0.1
dom.keyboardevent.keypress.hack.use_legacy_keycode_and_charcode
dom.security.unexpected_system_load_telemetry_enabled false
dom.serviceWorkers.enabled false
dom.workers.modules.enabled false
dom.workers.pFetch.enabled false
extensions.formautofill.addresses.capture.enabled false
extensions.formautofill.addresses.enabled false
extensions.formautofill.addresses.ignoreAutocompleteOff false
extensions.formautofill.creditCards.enabled false
extensions.formautofill.creditCards.ignoreAutocompleteOff false
extensions.formautofill.creditCards.reauth.optout MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJ1k0uApyQmUBAjZzGEDVd6R1g==
extensions.formautofill.creditCards.supportedCountries US,CA
extensions.formautofill.heuristics.captureOnFormRemoval false
extensions.formautofill.heuristics.captureOnPageNavigation false
extensions.lastAppVersion 128.5.1
font.default.x-western sans-serif
font.minimum-size.x-western 14
font.name.monospace.x-western Liberation Mono
font.name.sans-serif.x-western Liberation Sans
font.name.serif.x-western Liberation Serif
font.size.monospace.x-western 14
font.size.variable.x-western 14
gfx.webrender.pbo-uploads false
idle.lastDailyNotification 1741176263
keyword.enabled false
media.eme.enabled true
media.getusermedia.microphone.prefer_voice_stream_with_processing.enabled false
media.getusermedia.screensharing.enabled false
media.gmp-gmpopenh264.abi x86_64-gcc3
media.gmp-gmpopenh264.hashValue 53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b458073
media.gmp-gmpopenh264.lastDownload 1734337850
media.gmp-gmpopenh264.lastDownloadFailed 1734244546
media.gmp-gmpopenh264.lastDownloadFailReason Error: Failed downloading via ServiceRequest, status: 0, channelStatus: 2152398878, errorCode: 2, reason: error
media.gmp-gmpopenh264.lastInstallStart 1734337840
media.gmp-gmpopenh264.lastUpdate 1734337850
media.gmp-gmpopenh264.version 2.3.2
media.gmp-manager.buildID 20241128151741
media.gmp-manager.lastCheck 1741145478
media.gmp-manager.lastEmptyCheck 1741145478
media.gmp-widevinecdm.abi x86_64-gcc3
media.gmp-widevinecdm.hashValue 9f1fe2c912897bc644f936170eaa6a2cb13772e9456e377ebcb489ae58b85ce8095d7584c8e51658857e90e06b33f7e8005af58f6e91fe93bae752f3
media.gmp-widevinecdm.lastDownload 1734337886
media.gmp-widevinecdm.lastDownloadFailed 1734244546
media.gmp-widevinecdm.lastDownloadFailReason Error: Failed downloading via ServiceRequest, status: 0, channelStatus: 2152398878, errorCode: 2, reason: error
media.gmp-widevinecdm.lastInstallStart 1734337885
media.gmp-widevinecdm.lastUpdate 1734337886
media.gmp-widevinecdm.version 4.10.2830.0
media.gmp.storage.version.observed 1
media.videocontrols.picture-in-picture.video-toggle.first-seen-secs 1734314076
media.videocontrols.picture-in-picture.video-toggle.has-used true
media.webspeech.synth.dont_notify_on_error true
network.dns.disablePrefetch true
network.http.speculative-parallel-limit 0
network.predictor.enabled false
network.prefetch-next false
network.trr.confirmation_telemetry_enabled false
network.trr.send_empty_accept-encoding_headers false
places.database.lastMaintenance 1740781317
places.history.enabled false
privacy.bounceTrackingProtection.hasMigratedUserActivationData true
privacy.clearOnShutdown_v2.siteSettings true
privacy.clearSiteData.historyFormDataAndDownloads true
privacy.fingerprintingProtection true
privacy.fingerprintingProtection.WebCompatService.logLevel Warn
privacy.history.custom true
privacy.partition.serviceWorkers false
privacy.purge_trackers.date_in_cookie_database 0
privacy.resistFingerprinting true
privacy.resistFingerprinting.pbmode true
privacy.resistFingerprinting.randomization.daily_reset.enabled true
privacy.resistFingerprinting.randomization.daily_reset.private.enabled true
privacy.resistFingerprinting.reduceTimerPrecision.microseconds 743
privacy.resistFingerprinting.target_video_res 360
privacy.sanitize.clearOnShutdown.hasMigratedToNewPrefs2 true
privacy.sanitize.pending [{"id":"shutdown","itemsToClear":["cache","siteSettings","historyFormDataAndDownloads","cookiesAndStorage"],"options":{}
privacy.sanitize.sanitizeOnShutdown true
security.app_menu.recordEventTelemetry false
security.block_fileuri_script_with_wrong_mime true
security.certerrors.recordEventTelemetry false
security.protectionspopup.recordEventTelemetry false
security.sandbox.content.tempDirSuffix 5c1946d1-0ac7-45cf-a960-fe99e500d08a
security.ssl.enable_alpn false
security.ssl.enable_ocsp_must_staple false
security.ssl.require_safe_negotiation true
security.ssl.treat_unsafe_negotiation_as_broken true
security.ssl3.ecdhe_ecdsa_aes_128_sha false
security.ssl3.ecdhe_ecdsa_aes_256_sha false
security.ssl3.ecdhe_rsa_aes_128_sha false
security.ssl3.ecdhe_rsa_aes_256_sha false
security.ssl3.rsa_aes_128_sha false
security.ssl3.rsa_aes_256_sha false
services.sync.declinedEngines
services.sync.engine.addresses.available true
services.sync.engine.bookmarks false
services.sync.engine.bookmarks.validation.interval 43200
services.sync.engine.bookmarks.validation.maxRecords 20
services.sync.engine.history false
services.sync.engine.passwords.validation.maxRecords 10
signon.autofillForms false
signon.autofillForms.autocompleteOff false
signon.firefoxRelay.feature disabled
signon.generation.enabled false
signon.management.page.breach-alerts.enabled false
signon.management.page.os-auth.optout MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCQ0rzPKqGfPBAi1TpmDFWbelA==
signon.rememberSignons false
signon.showAutoCompleteFooter false
signon.storeWhenAutocompleteOff false
storage.vacuum.last.content-prefs.sqlite 1740891014
storage.vacuum.last.index 2
storage.vacuum.last.places.sqlite 1740781317
webgl.disable-DOM-blit-uploads true
webgl.enable-debug-renderer-info false
webgl.out-of-process.worker false
widget.gtk.overlay-scrollbars.enabled false

Paul S.

Its possible that the plinga-live link is read as an http site... 128.7 corrects to https, 128.8 apparently does not

Flags: needinfo?(am3)

text of exact security fail at plinga-live

Secure Connection Failed

An error occurred during a connection to plinga-live.gop3.nl.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

This DOES NOT show in FF128.7.0 esr.

REVERTED 128.8 to 128.7 again.

Paul S.

BTW, about:support is incomplete in two about:config search terms 'safebrowsing' and 'google'...
safebrowsing is falsed with url's altered to 127.0.0.1, ditto for google, and all lists emptied. Google has been for the most part tossed out.
Google DOES NOT run the Firefox browser, mozilla does. Charge $5 if you want.

security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.rsa_aes_128_sha
security.ssl3.rsa_aes_256_sha

Try going into about:config and setting all of the above prefs to true.
(In fact, for every security. pref, you should just reset it to the default value.)

Flags: needinfo?(am3)

some of these are weak and/or shown collision/cracking.
No.

Flags: needinfo?(am3)
You need to log in before you can comment on or make changes to this bug.