Closed Bug 470240 Opened 16 years ago Closed 15 years ago

unrecognized certificate should highlight the case when there's no chain provided

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1

People

(Reporter: timeless, Assigned: timeless)

References

(
URL
)

Details

Attachments

(1 file)

proposal
2.08 KB, patch
KaiE
: review+
Details | Diff | Splinter Review 
http://defect.opensolaris.org/bz/attachment.cgi?id=1178 is pretty, but unfortunately even knowing what to look for, it doesn't really help much.

steps:
1. open certificate database
2. scroll to VeriSign, Inc.
3. delete Sun Microsystems Inc SSL CA
4. visit https://pkg.sun.com

expected results:
security warning page that specifically highlights:

* this server provided a certificate without a certificate chain. This could be because someone is trying to impersonate the server, or it could be because it was misconfigured.

actual results:
(varies by version)
http://defect.opensolaris.org/bz/attachment.cgi?id=1178 
---
In either case it isn't trustworthy, however if it's a misconfiguration, then browsing to a related trusted site could cause the site to be fixed. I don't know how to explain that, and I'm fine with the help text including a link for a faq item.

It shouldn't be hard to specifically detect this case and provide a distinct error note for it.
Even if it's only visible in the technical details section of the error pages (at least, for firefox) this sounds like a good thing for debugging.

We'd need to be able to tell the difference between "served an incomplete chain" and "served a chain to an untrusted root", but really, it would probably help a significant percentage of these cases to just distinguish the case of "served no chain, just the end entity cert, which doesn't chain to a trusted root, but isn't self-signed" -- that's the common case for people who just set up their servers wrong.  I think it's less common to serve a chain which is only missing link N-1 or something.

Would you agree?
Status: UNCONFIRMED → NEW
Ever confirmed: true
According to the information I have, about one sixth of all legitimate certificates which involves intermediate CAs are lacking the complete chain. On the other hand, libpkix has the functionality to fetch the missing certs and is a matter of enabling in the future releases (and a matter of policy) to all of my knowledge. I'm certain Nelson can provide more information.
The displayed error message plainly says "the issuer certificate is unknown".
This is a cert that chains to an issuer CA for which we have no cert.

There are other error messages for other problems, such as lack of trust.
The error messages are already distinct.
i'm looking for nss/psm to provide a distinction between a certificate and a certificate with a provided chain.

we already special case Self Signed
URL: https://pkg.sun.comhttps://sial.org/
Attached patch proposalSplinter Review 
note that atm xpcom's nsArray contract is broken (it needs to be fixed regardless as the code is reachable today.
Assignee: kaie → timeless
Status: NEW → ASSIGNED
Attachment #354575 - Flags: review?
Depends on: 471296
Depends on: 482660
Attachment #354575 - Flags: review? → review?(kaie)
Comment on attachment 354575 [details] [diff] [review]
proposal

I like it.
r=kaie

Even though the detailed error message is nowaday hidden behind the more generic text, it can still be found in "technical details" and is helpful.

I tested the patch with https://kuix.de:9445/
Attachment #354575 - Flags: review?(kaie) → review+
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/5363c711900c
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: