Closed
Bug 470240
Opened 16 years ago
Closed 15 years ago
unrecognized certificate should highlight the case when there's no chain provided
Categories
(Core Graveyard :: Security: UI, enhancement)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9.3a1
People
(Reporter: timeless, Assigned: timeless)
References
()
Details
Attachments
(1 file)
2.08 KB,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
http://defect.opensolaris.org/bz/attachment.cgi?id=1178 is pretty, but unfortunately even knowing what to look for, it doesn't really help much. steps: 1. open certificate database 2. scroll to VeriSign, Inc. 3. delete Sun Microsystems Inc SSL CA 4. visit https://pkg.sun.com expected results: security warning page that specifically highlights: * this server provided a certificate without a certificate chain. This could be because someone is trying to impersonate the server, or it could be because it was misconfigured. actual results: (varies by version) http://defect.opensolaris.org/bz/attachment.cgi?id=1178 --- In either case it isn't trustworthy, however if it's a misconfiguration, then browsing to a related trusted site could cause the site to be fixed. I don't know how to explain that, and I'm fine with the help text including a link for a faq item. It shouldn't be hard to specifically detect this case and provide a distinct error note for it.
Comment 1•16 years ago
|
||
Even if it's only visible in the technical details section of the error pages (at least, for firefox) this sounds like a good thing for debugging. We'd need to be able to tell the difference between "served an incomplete chain" and "served a chain to an untrusted root", but really, it would probably help a significant percentage of these cases to just distinguish the case of "served no chain, just the end entity cert, which doesn't chain to a trusted root, but isn't self-signed" -- that's the common case for people who just set up their servers wrong. I think it's less common to serve a chain which is only missing link N-1 or something. Would you agree?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•16 years ago
|
||
According to the information I have, about one sixth of all legitimate certificates which involves intermediate CAs are lacking the complete chain. On the other hand, libpkix has the functionality to fetch the missing certs and is a matter of enabling in the future releases (and a matter of policy) to all of my knowledge. I'm certain Nelson can provide more information.
Comment 3•16 years ago
|
||
The displayed error message plainly says "the issuer certificate is unknown". This is a cert that chains to an issuer CA for which we have no cert. There are other error messages for other problems, such as lack of trust. The error messages are already distinct.
i'm looking for nss/psm to provide a distinction between a certificate and a certificate with a provided chain. we already special case Self Signed
note that atm xpcom's nsArray contract is broken (it needs to be fixed regardless as the code is reachable today.
Attachment #354575 -
Flags: review? → review?(kaie)
Comment 6•15 years ago
|
||
Comment on attachment 354575 [details] [diff] [review] proposal I like it. r=kaie Even though the detailed error message is nowaday hidden behind the more generic text, it can still be found in "technical details" and is helpful. I tested the patch with https://kuix.de:9445/
Attachment #354575 -
Flags: review?(kaie) → review+
Updated•15 years ago
|
Keywords: checkin-needed
Comment 7•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/5363c711900c
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•