unrecognized certificate should highlight the case when there's no chain provided

RESOLVED FIXED in mozilla1.9.3a1

Status

Core Graveyard
Security: UI
--
enhancement
RESOLVED FIXED
10 years ago
2 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

Trunk
mozilla1.9.3a1
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Assignee)

Description

10 years ago
http://defect.opensolaris.org/bz/attachment.cgi?id=1178 is pretty, but unfortunately even knowing what to look for, it doesn't really help much.

steps:
1. open certificate database
2. scroll to VeriSign, Inc.
3. delete Sun Microsystems Inc SSL CA
4. visit https://pkg.sun.com

expected results:
security warning page that specifically highlights:

* this server provided a certificate without a certificate chain. This could be because someone is trying to impersonate the server, or it could be because it was misconfigured.

actual results:
(varies by version)
http://defect.opensolaris.org/bz/attachment.cgi?id=1178 
---
In either case it isn't trustworthy, however if it's a misconfiguration, then browsing to a related trusted site could cause the site to be fixed. I don't know how to explain that, and I'm fine with the help text including a link for a faq item.

It shouldn't be hard to specifically detect this case and provide a distinct error note for it.
Even if it's only visible in the technical details section of the error pages (at least, for firefox) this sounds like a good thing for debugging.

We'd need to be able to tell the difference between "served an incomplete chain" and "served a chain to an untrusted root", but really, it would probably help a significant percentage of these cases to just distinguish the case of "served no chain, just the end entity cert, which doesn't chain to a trusted root, but isn't self-signed" -- that's the common case for people who just set up their servers wrong.  I think it's less common to serve a chain which is only missing link N-1 or something.

Would you agree?
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

10 years ago
According to the information I have, about one sixth of all legitimate certificates which involves intermediate CAs are lacking the complete chain. On the other hand, libpkix has the functionality to fetch the missing certs and is a matter of enabling in the future releases (and a matter of policy) to all of my knowledge. I'm certain Nelson can provide more information.
The displayed error message plainly says "the issuer certificate is unknown".
This is a cert that chains to an issuer CA for which we have no cert.

There are other error messages for other problems, such as lack of trust.
The error messages are already distinct.
(Assignee)

Comment 4

10 years ago
i'm looking for nss/psm to provide a distinction between a certificate and a certificate with a provided chain.

we already special case Self Signed
(Assignee)

Comment 5

10 years ago
Created attachment 354575 [details] [diff] [review]
proposal

note that atm xpcom's nsArray contract is broken (it needs to be fixed regardless as the code is reachable today.
Assignee: kaie → timeless
Status: NEW → ASSIGNED
Attachment #354575 - Flags: review?
(Assignee)

Updated

10 years ago
Depends on: 471296

Updated

9 years ago
Depends on: 482660
(Assignee)

Updated

9 years ago
Attachment #354575 - Flags: review? → review?(kaie)

Comment 6

9 years ago
Comment on attachment 354575 [details] [diff] [review]
proposal

I like it.
r=kaie

Even though the detailed error message is nowaday hidden behind the more generic text, it can still be found in "technical details" and is helpful.

I tested the patch with https://kuix.de:9445/
Attachment #354575 - Flags: review?(kaie) → review+

Updated

9 years ago
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/5363c711900c
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.