Closed Bug 506824 Opened 16 years ago Closed 16 years ago

CA for certified sites should be green

Categories

(Firefox :: Security, defect)

ARM
Windows CE
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: tchung, Unassigned)

References

()

Details

(Whiteboard: [nv])

For certified sites, the favicon should be green on Tegra devices. Instead its Blue. - https://www.paypal.com - https://www.jal.com - https://www.britishairways.com/travel/globalgateway.jsp/global/public/en_ STR: 1) load Tegra device, Firefox build: Mozilla/5.0 (Windows; U; WindowsCE 6.0; en-US; rv:1.9.2a1pre) Gecko/20090727 Firefox/3.6a1pre 2) Visit any certified safe site (see urls above) 3) After page loads, verify the favicon is blue. Expected Results; - Certified sites Should be green
Whiteboard: [nv]
It's green for me... Gecko/20090727 Minefield/3.6a1pre
Also WFM.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
I got this to repro just now, on a new device, fresh out of the box, with the Gecko/20090727 Minefield/3.6a1pre build installed. Zpao saw it with his own eyes so i'm not going color blind. STR: 1) open firefox 2) load bugzilla.mozilla.org. Favicon goes blue 3) Open new tab, goto www.paypal.com 4) favicon says "paypal.com" and is blue - when viewing the certificate > Issuer, it displays: CN = VeriSign Class 3 Extended Validation SSL CA OU = Terms of use at https://www.verisign.com/rpa (c)06 OU = VeriSign Trust Network O = "VeriSign, Inc." C = US Expected: - Paypal site should be green and display as "Paypal, Inc (US)"
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Is this reliably reproducible for you? Does just opening the browser and going directly there (or other variations on the STR) also fail?
Watch the OCSP and/or CRL verification.
(In reply to comment #6) > Is the clock set correctly? I don't think it was. Tony said it was a fresh OS install and I noticed the time wasn't right - entirely likely that the date was incorrect as well.
Wrong time should have resulted in an error as the certificate wouldn't have been valid at all. It appears that this has not been the case, but the blue indicator appeared instead of the green one. I suspect there was a problem checking the revocation status of the certificate for whatever reason. It could be a bug, but also a network problem.
(In reply to comment #8) > Wrong time should have resulted in an error as the certificate wouldn't have > been valid at all. It appears that this has not been the case, but the blue > indicator appeared instead of the green one. I suspect there was a problem > checking the revocation status of the certificate for whatever reason. It could > be a bug, but also a network problem. Good question. It was out of box, so this is something i will look at and adjust if it wasnt set right.
Okay this was indeed the system clock. The system was set to 5/1/2009 and showing blue Site identifier. Setting the clock to today's date (7/30/2009), and refreshing the site, came up Green. Setting it back to 5/2009, understandingly became blue again. Marking bug invalid. Thanks to aaronmt for the investigation.
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID
(In reply to comment #10) > Okay this was indeed the system clock. The system was set to 5/1/2009 and > showing blue Site identifier. Setting the clock to today's date (7/30/2009), > and refreshing the site, came up Green. Setting it back to 5/2009, > understandingly became blue again. > > Marking bug invalid. Thanks to aaronmt for the investigation. FWIW, I didn't reload the site but rather a complete shutdown.
(In reply to comment #8) > Wrong time should have resulted in an error as the certificate wouldn't have > been valid at all. It appears that this has not been the case, but the blue > indicator appeared instead of the green one. I suspect there was a problem > checking the revocation status of the certificate for whatever reason. It could > be a bug, but also a network problem. If the time was off by more than the validity window of an OCSP response, but less than the validity window of the cert itself (e.g. last month), you'd see this behaviour. The cert would pass basic checks, but would not be considered to have a "valid" OCSP response, and hence get only DV-blue, not EV-green treatment. (I know the bug is resolved, this is just here in case people have lingering questions about why this happened, or see it again in the future)
(In reply to comment #12) > (I know the bug is resolved, this is just here in case people have lingering > questions about why this happened, or see it again in the future) Yep, i've been working with ashughes and it has helped us tremendously to see your explanation on how this all works. We'll be devising some litmus test cases on testing scenarios on the corrected behavior for OCSP responses. Thanks for clarifying!
You need to log in before you can comment on or make changes to this bug.