289653 - Error Code -8101 and IDEA says Mozilla doesn't support manual SSL and Verisign

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[coxpaul]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Can't get the page to open, and ended up using MS Internet Explorer.  Here is
the last exchange with IDEA's tech folks:

IDEA Int'l Enrollment <enrollment@mailx.intidea.org> wrote:
I am glad you got everything to work out. Mozilla does not support manual
SSL (secure socket layer) and we use verisign to protect your information.  
Amanda
-----Original Message-----
From: Paul
Sent: Thursday, April 07, 2005 1:22 PM
To: IDEA Int'l Enrollment; Equipment
Subject: Re: IDEA International Re-Enrollment Fix It

We figured out the MS IE browser fixed our enrollment problems (we use
Firefox).  We have tried to get away from that and the Netscape browser as
they are the most frequently "hijacked."  Why don't you support Mozilla?
Paul

IDEA Int'l Enrollment wrote:


>> 
>>Dear Family,
>>
>>
>>If you are having trouble completing re-enrollment, here are some steps 
>>that may help. Please use Internet Explorer as your web browser when 
>>completing re-enrollment. If you are still having trouble, please refer 
>>to the following instructions.
>>


Reproducible: Always

Steps to Reproduce:
1. go to the page
2. receive the error message
3. 

Actual Results:  
I get the error message "Could not establish an enrypted connection because
certificate presented by ps.intidea.org is invalid or invalid.  Error code -8101"

Expected Results:  
it should have loaded the page

Comment 1

[Daniel Veditz [:dveditz]]

Mozilla supports Verisign, this can be shown by hitting the "Manage
Certificates" button on the Advanced pane of the Options dialog and scrolling
down the list of Authorities.

The site is lying, it's an invalid cert (SEC_ERROR_INADEQUATE_CERT_TYPE).
There's no such thing as "Manual SSL", what they appear to mean is a way to tell
the browser to ignore invalid certs. They try to paper over the issue by telling
people to ignore the IE error (but the IE message about dates isn't exactly
right). Opera also displays an error. They should get a valid cert, $29.95 from
godaddy.com.

The cert was issued by a Verisign cert that apparently expired before the
validity date range. Hard to believe Verisign would do that.

Without a validly issued cert you can have an encrypted channel, but you have no
way of knowing whether or not you're sending your encrypted data right into the
hands of phishers trying to steal it.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

The only problem I see with the site https://ps.intidea.org/ is that they're
not sending out the full cert chain.  They're sending out the server cert,
but not the issuing CA cert.  Their server is not operating in conformance 
with the TLS and SSL protocol standards, because it's not sending a complete
cert chain.  I don't see any date problems, just an incomplete cert chain.  

All they have to do is get the intermediate CA cert and configure their 
server to send it out along with their own server cert (which they're already
sending).  When they do that, their server will have become compliant with the 
relevant standards, and all standards-compliant browsers will be happy with it.

So, yes, this bug is invalid, and is a dup of the other bugs, such as 
bug 273359 (which see), that all turned out to be misconfigured servers.