402846 - Hint user when visiting servers with improperly configured ssl cert chain

Status: NEW

(Firefox :: Security, defect)

Description

[Kai Engert (:KaiE:)]

From bug 399045 comment 25, in my own words:

Sometimes server administrators fail to configure their ssl cert correctly.
They only install their server cert, but they fail to install all the required intermediate certs that are needed to chain up to the trusted roots in browsers.

With bug 399045 we are hiding such errors for many users, because we collect helpful intermediate certs as we go. But some users, or users with fresh profiles, will still fail to connect, which can result in confusing user experience.


Proposal:

- enhance NSS SSL so it can tell the client application
  "this server did not send the required intermediates,
   but the SSL library found them locally, so we can proceed anyway"

- enhance the PSM layer to communicate this status to the application

- enhance the application (Firefox) to notify the user about the
  server problem.

  This could be done using a yellow notification bar like the one you
  get when Firefox blocks installing an extension.


This bug shall discuss whether the feature is a good idea for Firefox at the application level.

If approved, we shall file separate bugs for the required backend work in NSS and PSM.

(We shall also file a separate bug for other apps like SeaMonkey and Thunderbird if that makes sense.)

Comment 1

[Johnathan Nightingale [:johnath]]

This is an interesting idea.  I love the fix in bug 399045 because it just lets us be smarter without the user having to do anything.  On the other hand, if it weren't for the debugging case, I don't think it is useful to tell users who are otherwise successfully connecting to the site about the problem they almost encountered.  

The distinction between this proposed notice and the popup-blocked or extension-blocked notices is that those are things that a user might want to override our decisions about.  They might have gone here deliberately to install the add-on, and while they (hopefully) appreciate our protectiveness in this matter, they feel they can make the decision to trust the code.  Likewise with popup blocking, we'll sometimes block useful popups if they're handled in weird ways, and the user needs to be able to override that.  But this notification doesn't have the same potential for user involvement - we're telling them that everything is fine, but there's nothing they can really do except dismiss it.

I think you're right though, that it will be weird to diagnose a problem that has half of (say) Firefox 3 users loading the page fine because they happened to have stumbled across "GoDaddy Intermediate Cert #27", and the other half hitting an error page because they haven't yet.  I think it's very difficult to put anything into primary user interface that helps with that though.  I think education - a wiki page that talks about this problem and hopefully gets googled for - could work here, since we're targetting site admins, not end users.  I think we could even discuss something in secondary UI (the advanced section of security page info?  Or the cert viewer?)

But my own sense is that this is a hard thing to communicate meaningfully to users, but that even if we do, we should stick to communicating it in the broken case, not in the "broken but we fixed it for you" case.

Comment 2

[Jesse Ruderman]

I don't think this should be an information bar.  An warning in Firefox's error console would be fine.