Closed Bug 431845 Opened 16 years ago Closed 5 years ago

Improve error message for revoked certs

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1486551

People

(Reporter: johnath, Assigned: johnath)

Details

Attachments

(3 files)

Current Message (FF3.0pre)
33.49 KB, image/png
Details
Error message of Firefox 68.2 regarding expired certificate
30.56 KB, image/png
Details
Security details popup window
60.22 KB, image/png
Details
A cert revocation is just about the most critical error we can encounter when establishing a TLS/SSL connection, but the current message ("Peer's Certificate has been revoked") is not as clear and comprehensible as our errors for less severe certificate errors (the ones for which we allow overrides). The confusion this engenders sometimes makes people suspect Firefox is to blame, particularly since other browsers, which may not perform, e.g., OCSP checking, seem to have no problem with the site. We should help users (and web admins) understand the parties involved here, so that they can more accurately assess their options. Ideas include: - Short, technically correct but more clear where the blame lies: "This site's certificate has been revoked by its issuer." - Slightly longer, "This site's certificate has been revoked by its issuer either by request of the site owner or because it was issued in error." - Scarier: "This site's certificate has been revoked by its issuer. A revoked certificate may mean that the security of the site has been compromised, or that the certificate was issued in error." My preference of those 3 is the second one; informative without accusing, and makes it clear why we don't allow an exception to be added. I think we should avoid words like "Peer" with specific, technical and possibly non-obvious meanings. Obviously this cannot land for Firefox 3 because it involves l10n changes and we are past string freeze.
I *think* the string being displayed is this one: http://mxr.mozilla.org/mozilla/source/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties#119 I'd be happy to attach a patch with the change on that assumption, but a) I worry that the use of "peer" here is due to the string being used in many contexts, for some of which "this site" may not be an appropriate substitute. b) I am confused as to why we're displaying SEC_ERROR_REVOKED_CERTIFICATE in this case at all. The page I'm testing with is revoked via OCSP, so I would have naively expected to see SEC_ERROR_REVOKED_CERTIFICATE_OCSP. c) The strings here look deliberately short - probably because they're going to be displayed in a lot of different places, where wordiness might be at a premium. Is that a correct assumption?
I think this is more of a front-end decision (for instance, we may want to make the whole about:certerror page more alarming for revoked certificates).
Component: Security: PSM → Security
Product: Core → Firefox

Hitting the problem yesterday, I found out that in Firefox 68.2 there is still no way to view the expired certificate (which is completely unacceptable IMHO).

The security details popup does not allow to display the certificate.

Hitting the problem yesterday, I found out that in Firefox 68.2 there is still no way to view the expired certificate (which is completely unacceptable IMHO). How is the user expected to view/examine the certificate in question?

Duping forward to bug 1486551

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: