Closed
Bug 340551
Opened 19 years ago
Closed 9 years ago
Make OCSP status discoverable
Categories
(Core Graveyard :: Security: UI, enhancement, P2)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
WONTFIX
mozilla2.0
People
(Reporter: bob.lord, Unassigned)
References
Details
(Whiteboard: [kerh-eha])
Today, I cannot see if the client has checked the OCSP status of a server or not. I would like to be able to see that information.
One possible place to put it is on the Certificate Viewer on the General tab.
A better place is probably on the Page Info page, under the Security tab. That's where we show the cipher chosen.
|
||
Updated•19 years ago
|
Severity: normal → enhancement
Priority: -- → P2
Whiteboard: [kerh-eha]
Target Milestone: --- → mozilla1.9alpha
|
|
||
Updated•19 years ago
|
Target Milestone: mozilla1.9alpha → mozilla1.9beta
Today, the client performs OCSP checks when viewing a certificate. If the OCSP check completes successfully, the top of the Certificate Viewer will say "This certificate has been verified for the following uses:". If it does not complete successfully, it says that it can not verify the certificate.
This UI fails the discoverability test. If you show this window to people and ask "Was an OCSP verification check made?", they will not be able to tell.
We should be explicit in showing the OCSP check. Was one done? If so, did it succeed? If it failed, why? Network problems? Unknown certificate? Certificate revoked?
Summary: OCSP status should be shown in UI → Make OCSP status discoverable
Proposal for the Certificate Viewer:
1. Don't modify the text at the top of the General tab based on OCSP status. Instead, it should always say "This certificate can be used for the following purposes".
2. Add a new section at the bottom (below Fingerprints) which reads:
/OCSP Validation/
This certificate was validated by ocsp.example.com at 01/05/2005 05:24:36 GMT
Question: is there any more information which we should expose to users/admins who may be trying to understand why a connection did/didn't work? We don't want to overload the UI with noise, but there might be 1 or 2 other pieces of information that might be helpful.
Proposal for the Page Info tab:
/Web Site Verification/
The web site bugzilla.mozilla.org was issued by XYZ, Inc., a certification authority (CA) you trust for this purpose.
Ths web site was listed as "Valid" at 01/05/2005 05:24:36 GMT by athe OCSP server ocsp.example.com.
((View)) View the security certificate for bugzilla.mozilla.org.
Security Connection details:
Protocol: TLS 1.0
Encryption cipher: AES (256-bit key) /High-grade security/
Key agreement: RSA 1024-bit public key
Hash: SHA-256
Client certificate sent to server: "Joe Jame's XYZ certificate"
|
||
Comment 5•18 years ago
|
||
As far as I can tell, this should be in Firefox > "somewhere" (I think there's a page info component?).
Additionally, you should ask for ui-review for any changes like the ones you're proposing.
Finally, I personally think the UI you propose is horrible technobabble (what's OCSP? What's an OCSP server? What values could it return for websites, apart from "Valid"? What does having it return "Valid" even mean?) for most users. Sure, people who actually know a lot about encryption will find it useful, but most people don't fall in that category. Even though I personally have some knowledge about RSA and other encryption systems, I have no idea what "OCSP" stands for, what it does, and what value it has for me as a user. I definitely prefer the current UI from that perspective.
And as an addendum, I think the page info dialogs have been revamped on trunk recently. Does the UI you describe still exist?
|
||
Comment 7•18 years ago
|
||
This is an interesting debate. I'm one of those "dumb users" out here in cyberspace. I had no idea what OCSP meant until Firefox (well, it was Mozilla at the time) generated an error with that meaningless (to me) string of letters in it 3 or 4 years ago. It happened when I tried to access a secure web site. There was some traffic here on Bugzilla about it at the time & evidently some Mozilla bug was corrected in short order. Since then, I haven't thought about the issue.
Until yesterday. Suddenly, I started getting this utterly uninformative error message out of Firefox when I tried to go to my bank's web site. The login page wouldn't even display so I didn't even get to the point of entering my user ID & password. This error had never appeared before, meaning the day before & for at least 2 years prior. What was the error, you ask? I don't remember. I can tell you it did not have an error number of any kind in it. It also did not have the URL of an OCSP server (is that correct terminology?) in it. It said something about OCSP validation had not been approved by the server, or words to that effect. I'm just a plain old user. I had no idea what Firefox was trying to tell me it didn't like, nor could I tell what I should do about it. In desperation, I went to the same site via IE & it worked fine, although I had no control over the fact that the font used was about 2 point size & I couldn't read the site without holding a magnifying glass up to my monitor. And there's no way to control the font size in that other browser. I already have it set to largest font, which appears to be the only relevant setting. But I digress; I didn't come here to trash the competition.
So I thought maybe there's a bug in Firefox & I came here to find out. I read a couple dozen reports here on the subject of OCSP -- gaining no more insight into what it's for -- and couldn't find anything that looked like it matched my symptoms or even suggested there was a hard, wide-spread bug. But something must have sunk in because I got the idea I should disable OCSP & see what happens. I thought I would cause problems because I've been under the impression that OCSP is something some/many/all secure web sites use.
After hunting high & low I finally found a place where I could turn OCSP off. And poof magic Firefox now likes my bank web site again.
Do I know why that made any difference? Do I know why it was turned on in the first place? Are you kidding? I'm just a dumb user.
But this does raise an important UI issue. If Firefox is going to be putting out error messages on a subject no ordinary user even knows is a subject, those messages had better contain enough information for you smart guys to diagnose something. Which this message decidedly did not. Further, it appears that OCSP is not needed by my bank's web site, nor my credit card's, nor 3 or 4 other secure web sites I've just visited to see if there would be any impact there from disabling OCSP. Apparently, my bank must have changed something that suddenly made it incompatible with the use of OCSP & Firefox didn't adapt. If that's the case, why is it ever needed? What's it for? No no. I'm not asking to have you answer it here. I'm asking to make you think about it, you who know what it's for & when it should & should not be enabled. You need to think about it & write it up in the online help. The couple of sentences in the existing help text doesn't really help me decide when I need to enable it or even if. All it says now is, "You will most likely only need to change this if your Internet environment requires it." Despite its inclusion in the help, this isn't helpful. You guys need to add text here that explains at least a couple of possible scenarios in which I might need to enable it.
Further, Firefox needs to be a little more adaptable. Something that's always worked shouldn't suddenly stop working because of some esoteric subject no ordinary mortal even knows exists. Firefox should just handle the situation, just as IE apparently did. Maybe if Firefox worked as I suggest, you wouldn't need to explain OCSP any further in the help. In fact, you might even be able to remove the settings related to OCSP. Make it all automatic, hide it under the hood, and nobody outside of you guys will need to even know it's a subject.
|
|
||
Comment 8•17 years ago
|
||
Going through my list of pending items, found this one, adding Johnathan to CC list. Not sure if we have sufficient backend support already.
Component: Security: PSM → Security: UI
QA Contact: ckannan → ui
|
|
||
Updated•17 years ago
|
Target Milestone: mozilla1.9alpha8 → mozilla2.0
|
||
Comment 9•17 years ago
|
||
My thoughts:
- I think we can talk about this in a way that is accessible to users (language like "Confirmed valid less than 1 minute ago")
- I certainly think we can put it in the general tab of the cert viewer, and maybe this bug should at least get that done (since it may require backend changes anyhow, as Kai suggests). At that point, the question of whether to "promote" that PSM information into Firefox's UI (or Seamonkey's, or Flock's) is something that we can raise against individual products.
- My personal feeling on that question (for Firefox) is that it might have more of a place in Page Info (or even Larry) as a strictly negative signal: "This site did not respond to validity checks" or words to that effect.
This is not going to make Firefox 3, but I don't think that's a surprise to anyone. :) Now that we're checking OCSP by default though, this really does make sense to include *somewhere*.
|
|
||
Updated•17 years ago
|
OS: Linux → All
Hardware: PC → All
|
||
Comment 11•9 years ago
|
||
There's sites that will display this information for those curious (e.g. https://certificate.revocationcheck.com/ ). I don't think this is something for Firefox to expose. If the connection succeeded, the user should be confident that the browser trusts the certificate. If not, our messaging should indicate what the issue is.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
|
Assignee | |
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•