293673 - FireFox user cannot override certificate revocation

Status: RESOLVED EXPIRED

(Core :: Security: PSM, enhancement)

Description

[Giuseppe]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

i'm unsure if this is a bug or a design decision:
firefox display an alert stating "Could not estabilish an encrypted conncetion
becouse certificate presented by pluggedin.palmone.com has been revoked" and
won't load the page.
IE on the other hand, will load the page without warinig but will not display
the "lock" icon, this could be misleading.

Reproducible: Always

Steps to Reproduce:
1. just browse to https://pluggedin.palmone.com/regac/pluggedin/login.jsp
2.
3.

Actual Results:  
page will not be load 

Expected Results:  
i belive a better beaviour is to load the page after the alert box. (maybe a
"broken lock" icon could be a good way to keep in mind that the https
certificate is invalid): that way you could continue browsing if you really want
to. 

flagged security as "confidential" because the descripted IE beaviour could give
to trouble to the microserf out there...

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

The server cited above replaced its cert on 2005-05-10 so this behavior
is no longer reproducible.  
There is no exploitable vulnerability here, so I am removing security sensitive.
Reassigning this bug to PSM.
This bug is merely an issue about whether the user should be able to 
override a revoked certificate or not.  My vote is: no, revocation is
the most extreme indication of security compromise, and users who 
override it certainly do so to their own detriment.

Giuseppe, which method of revocation checking have you enabled?
Have you enabled OCSP?  
Have you downloaded the issuer's CRL?

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Changed subject to reflect requested change

Comment 3

[Giuseppe]

> Giuseppe, which method of revocation checking have you enabled?
> Have you enabled OCSP?  
> Have you downloaded the issuer's CRL?
i'm sorry i don't know what OCSP is and how i can check my setting.
i'm also sure that i have not downloaded CRL (Cert.Revocation.List?) manually: i
dunno if firefox do this automagically. 
i belive i have default settings about this kind of things.

Comment 4

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 5

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.