435778 - KB article: sec_error_reused_issuer_and_serial write-up

Status: VERIFIED FIXED

(support.mozilla.org :: Knowledge Base Articles, task)

Description

[Johnathan Nightingale [:johnath]]

We're seeing multiple occurrences of a particular problem with bad certificates in firefox 3, that feels like a good topic for a SUMO article (e.g. bug 435013, bug 312732, bug 410622).

Basically, the problem occurs when a badly designed web interface (linksys router, apparently also some versions of Zimbra) choose to regenerate certificates from time to time (after a power outage, say) but re-use the certificate's serial number.

This throws us into a panic, because we've already remembered a certificate for that site using the security exception mechanism, and now the site is presenting some similar-but-not-the-same certificate, which basically looks exactly like an ettercap attack.

I don't think we have to go through all the technical details, but I would envision something like:

-- BEGIN SAMPLE COPY --
Firefox gives me a security warning that I can't override, when I try to access my home router. (sec_error_reused_issuer_and_serial)

Older routers will sometimes regenerate their security certificates instead of keeping the same one for the life of the device.  If you have added a permanent security exception for your router, and if this regeneration is done improperly, Firefox will detect the change as a possible attack.

The long term solution is to contact your hardware vendor and see if updates are available for your device which fix this problem.  

If you are confident that no attack has occurred and believe your router is affected by this problem, you can work around the problem by deleting your old exception.... (description of deleting perm exception, adding temp exceptions in future).

-- END SAMPLE COPY --

If this is appropriate content, I'm happy to write up complete copy, but this is my first time writing a SUMO article, so go gently.  I'm filing here based on the instructions at http://support.mozilla.com/en-US/kb/Creating+articles

In particular, I'm not sure about an appropriate title.  I suspect people will be searching on the "sec_error_reused_issuer_and_serial" error code, but that might not be very friendly on its own, and I would hope that wiki-title-munging wouldn't hurt it...

Comment 1

[David Tenser [:djst]]

Jonathan,

I think the sample content is a good base to start the article. Chris, do you have spare cycles to turn this into an article? Perhaps Jonathan could review it when it's ready to make sure it's what we want?

About the title, how about "Security warning: sec_error_reused_issuer_and_serial"?

Comment 2

[Bo]

I expanded on Jonathan's article at the address in the URL.

Comments:
(1) I went with the sort of friendly name "Certificate contains the same serial number as another certificate." This avoids having punctuation in the URL. The page contains mentions of the whole error message and error code, so I would hope it can be found by searching.
(2) Do we really only want to recommend temporary exceptions? It's a lot of hoops to jump through to access a router page. Should we say "Permanently store it until it happens again, and then do all this again"? I turned on HTTPS on my router, added a permanent exception, and then revisited a couple times without encountering this error. I don't know how to make it trigger a certificate regeneration, but does it really happen that often?

If (1) and (2) are OK, please mark this "FIXED" and review.

If (1) is not OK, but (2) is, please rename the article, update the URL in this bug, mark this "FIXED" and review.

If (2) is not OK, let me know, and I'll fix the screenshot and change the instructions.

Comment 3

[Johnathan Nightingale [:johnath]]

This looks great, thanks for working on it.  Comments below.

(In reply to comment #2)

> (2) Do we really only want to recommend temporary exceptions? It's a lot of
> hoops to jump through to access a router page. Should we say "Permanently store
> it until it happens again, and then do all this again"? I turned on HTTPS on my
> router, added a permanent exception, and then revisited a couple times without
> encountering this error. I don't know how to make it trigger a certificate
> regeneration, but does it really happen that often?

Well, it either never happens or always happens, that's the problem.  You shouldn't ever encounter this error, since you have added the exception and (presumably) your router is well-behaved.  But for the particular models where this is an issue, the cert will get regenerated every power-cycle, or maybe even just at regular intervals.  For those people, permanent is worse than temporary, since a temporary exception will be forgotten, causing the next visit to be a new interaction with an "add exception" button available.  A permanent exception, because it's remembered, will cause us to notice the serial number re-use, and we can't add an exception, because we already have one.

If you want to include both options, that would be fine with me really, it would give people the choice to decide whether the convenience of remembering the cert is worth the hassle of having to manually delete it.  But I'm also fine to just deal with temp certs.  On thar basis, I'm marking it FIXED per your request (1 and 2 are OK).

Wording edit:

> #  Click on the item that corresponds to the site with that generates the error and press Delete.... 

"the site with that generates" should probably be "the site that generates"

Comment 4

[Bo]

My router is one that has problems, but I couldn't make it regenerate (I didn't try very hard, though).

I'm OK with temporary exceptions for the KB; savvy users can probably figure out how to add a permanent exception.

I will move this to the KB in a bit, assuming there are no objections. I will also add a link from the ((Secure Connection Failed)) article.

Once it's moved, further discussion goes on at the staging version:
[http://support.mozilla.com/en-US/kb/*Certificate+contains+the+same+serial+number+as+another+certificate]

Comment 5

[Chris Ilias [:cilias]]

Style reviewed.