Closed Bug 328052 Opened 19 years ago Closed 14 years ago

Firefox keeps asking to accept questionable SSL certificate after being told no

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 59637

People

(Reporter: sgifford, Assigned: KaiE)

References

(
URL
)

Details

When I visit the above site with Firefox 1.5.0.1 on my Linux machine, FF presents a certificate from an unknown CA. If I decide I'd prefer not to go to the site in that case, I hit "Cancel" or select "Do not accept this certificate and do not connect to this Web site" then hit "OK", at which point it asks again. It continues doing this until I accept the certificate, or very quickly hit "Cancel" then "Stop" (it requires mouse gymnastics to accomplish this). It appears to re-prompt as each image on the page loads. This looks related to bug 149673, but that bug deals with client certificates, and this is a server certificate. I think this bug presents a security risk, because to a novice user, the only way out of this repeating dialog is to accept the certificate, at which point the user is browsing with less sescurity than they want. After that they've accepted the cert for at least the rest of their browsing session.
Is there any other way at all? Unless you accept the certificate firefox asks for every new page that contains the ssl content. Firefox 1.5.0.4 on OS X here. I'd think this is a security problem. If you browse a site that pulls content from an untrusted ssl site you have to either accept the certificate or not browse the site. Or use adblock or similar non-standard solution.
QA Contact: ui
Sorry for having stalled on this bug for so long. However, I think we have made some good improvements to the way we work with bad certificates. The original test page is no longer available. However, it's a http address (not https). I conclude the bug report was about https images with bad certs references from a http page. In Firefox 3 we no longer bring up dialogs for bad certs of sub content, instead we block that bad cert content by default. I did a quick new test page: http://kuix.de/misc/test328052/ I'm resolving as WORKSFORME. Please reopen if you disagree.
The new trunk behavior is interesting. When I visit the page, I just get the icons for failed image loads, no dialogs and no error page. When I then bring up the page info dialog (ctrl-i) and look in the media tab at the URL for the image, A pop-up dialog appears over the info dialog, telling me about the cert problem, but giving me no option to create an exception. I like that, but I'm sure some will complain about it.
Since this causes trouble only for embedded images, subframes, scripts, and the like handling "embedded media" should be good enough. However, not seeing a part of the page without any explanation is not a good. I guess a question dialog or something like the NoScript bar is needed here, with all the options: No, not this time No, never Yes, for this time only Yes, always Perhaps also Yes, for this session No, never during this session The cookie query dialog is a good example (although it could be a bit clearer and is unfortunately not the default, and is a top level dialog rather than something bound to the page tab).
(In reply to comment #4) Yes, we want to do something like that, but we have some homework to do, before we can implement it. You might want to look at our pending work in bug 62178, bug 59637, etc...
I guess what you want is - a dialog to ask about this - a general "don't repeat this question" mechanism that weeds out + multiple instances of the same question displayed at the same time + asking the same question for a page/site, session, forever
this is all ancient history now, right? The dialog box about which this bug complains no longer exists, AFAIK. If one or more of the previous commenters on this bug agree with my assessment, please say so in this bug, and we'll resolve it.
The bug has changed. Previously there was no option to reject the certificate permanently, now there is no option to load questionable content on secure sites. So the decision is still hardcoded in the browser, only it hardcoded answer is different now.
Bad Certs are rejected by default. With the exception of a couple of types of errors (like actually revoked certificates), Bad certs can be overrided for a particular website if you know what you are doing. If you don't know what you are doing, you shouldn't be going to potentially unsafe websites.
Michal, you say this bug has changed. That's unfortunate. It's also really up to the bug's reporter to decide that. If he agrees, I don't know what this bug is about any more. What are the current steps to reproduce? What is the expected behavior and actual behavior?
THe issue is that now FIrefox will silently drop the questionable content without asking. How large the image or iframe must be for you to be able to see the error page in it and load it should you want to do so? Is an error page displayed for images at all? Firefox has just changed from "always load" to "never load" which is somewhat better from security standpoint but still does not allow the user to control what Firefox is doing which is the root issue of the original bug.
If the intention of this bug has changed to the description of comment 11, then this bug is now a duplicate of bug 59637.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.