Open
Bug 399910
Opened 17 years ago
Updated 2 years ago
bad cert error page should be more dire when exception already exists
Categories
(Firefox :: Security, enhancement, P3)
Firefox
Security
Tracking
()
NEW
People
(Reporter: nelson, Unassigned)
References
(Blocks 1 open bug)
Details
When a user visits an https site, and gets an invalid certs, and an exception
for this site already exists, but the cert now being served by the server
does not match the cert that is already captured in the exception, the error
page shown to the user should be more dire than the usual invalid cert page.
It should NOT appear to the user to be just another case of encountering a
cert that cannot be validated, but should call attention to the fact that
it is not the cert that the user himself has previously accepted.
This is a fundamental tenet of KCM. In KCM, the most eggregious form of
error, and the error most worthy of complaining to the user, is that the site
is now apparently serving a different public key (different cert in https)
than before.
Updated•17 years ago
|
Flags: blocking1.9?
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Updated•17 years ago
|
Priority: -- → P4
Comment 1•17 years ago
|
||
Should this bug be driven by browser UI developers?
nsICertOverrideService::getValidityOverride could be used to distinguish the reported error from the stored override.
Or should the PSM backend produce a different error message?
Updated•17 years ago
|
Priority: P4 → P5
Comment 3•17 years ago
|
||
I guess this bug asks for a better display in the error page, bug 399914 asks for a better feedback in the add-exception dialog.
I think it makes sense to combine both bugs, and whenever we work on a fix, both places must be updated.
Reporter | ||
Comment 4•17 years ago
|
||
Yeah, the difference between these two bugs is the dialog/page in which
they happen, and the products in which they happen.
This bug applies only to the browser.
Bug 399914 also applies to Thunderbird.
Comment 5•17 years ago
|
||
(In reply to comment #4)
> This bug applies only to the browser.
Not strictly.
The error page contains a string which is the "meat" of the error page, and this meat will be shown in any products where it's not possible to show the error as a page. In those products it will be shown as an error dialog.
Updated•9 years ago
|
Whiteboard: [psm-backlog]
Updated•8 years ago
|
Priority: P5 → P3
Updated•5 years ago
|
No longer blocks: KCM
Component: Security: PSM → Security
Flags: wanted-next+
Priority: P3 → --
Product: Core → Firefox
Whiteboard: [psm-backlog]
Updated•5 years ago
|
Blocks: better-cert-errors
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•