CA for certified sites should be green

RESOLVED INVALID

Status

()

Firefox
Security
--
major
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: tchung, Unassigned)

Tracking

Trunk
ARM
Windows CE
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nv], URL)

(Reporter)

Description

9 years ago
For certified sites, the favicon should be green on Tegra devices.  Instead its Blue.  
- https://www.paypal.com
- https://www.jal.com
- https://www.britishairways.com/travel/globalgateway.jsp/global/public/en_

STR:
1) load Tegra device, Firefox build: Mozilla/5.0 (Windows; U; WindowsCE 6.0;
en-US; rv:1.9.2a1pre) Gecko/20090727 Firefox/3.6a1pre
2) Visit any certified safe site (see urls above)
3) After page loads, verify the favicon is blue.  

Expected Results;
- Certified sites Should be green
(Reporter)

Updated

9 years ago
Whiteboard: [nv]
It's green for me... Gecko/20090727 Minefield/3.6a1pre
Also WFM.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 3

9 years ago
I got this to repro just now, on a new device, fresh out of the box, with the Gecko/20090727 Minefield/3.6a1pre build installed.   Zpao saw it with his own eyes so i'm not going color blind.  

STR: 
1) open firefox
2) load bugzilla.mozilla.org.  Favicon goes blue
3) Open new tab, goto www.paypal.com
4) favicon says "paypal.com" and is blue
- when viewing the certificate > Issuer, it displays:

CN = VeriSign Class 3 Extended Validation SSL CA
OU = Terms of use at https://www.verisign.com/rpa (c)06
OU = VeriSign Trust Network
O = "VeriSign, Inc."
C = US


Expected:
- Paypal site should be green and display as "Paypal, Inc (US)"
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Is this reliably reproducible for you? Does just opening the browser and going directly there (or other variations on the STR) also fail?

Comment 5

9 years ago
Watch the OCSP and/or CRL verification.
(In reply to comment #6)
> Is the clock set correctly?

I don't think it was. Tony said it was a fresh OS install and I noticed the time wasn't right - entirely likely that the date was incorrect as well.

Comment 8

9 years ago
Wrong time should have resulted in an error as the certificate wouldn't have been valid at all. It appears that this has not been the case, but the blue indicator appeared instead of the green one. I suspect there was a problem checking the revocation status of the certificate for whatever reason. It could be a bug, but also a network problem.
(Reporter)

Comment 9

9 years ago
(In reply to comment #8)
> Wrong time should have resulted in an error as the certificate wouldn't have
> been valid at all. It appears that this has not been the case, but the blue
> indicator appeared instead of the green one. I suspect there was a problem
> checking the revocation status of the certificate for whatever reason. It could
> be a bug, but also a network problem.

Good question.  It was out of box, so this is something i will look at and adjust if it wasnt set right.
(Reporter)

Comment 10

9 years ago
Okay this was indeed the system clock.   The system was set to 5/1/2009 and showing blue Site identifier.   Setting the clock to today's date (7/30/2009), and refreshing the site, came up Green.  Setting it back to 5/2009, understandingly became blue again.

Marking bug invalid.  Thanks to aaronmt for the investigation.
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → INVALID
(In reply to comment #10)
> Okay this was indeed the system clock.   The system was set to 5/1/2009 and
> showing blue Site identifier.   Setting the clock to today's date (7/30/2009),
> and refreshing the site, came up Green.  Setting it back to 5/2009,
> understandingly became blue again.
> 
> Marking bug invalid.  Thanks to aaronmt for the investigation.

FWIW, I didn't reload the site but rather a complete shutdown.
(In reply to comment #8)
> Wrong time should have resulted in an error as the certificate wouldn't have
> been valid at all. It appears that this has not been the case, but the blue
> indicator appeared instead of the green one. I suspect there was a problem
> checking the revocation status of the certificate for whatever reason. It could
> be a bug, but also a network problem.

If the time was off by more than the validity window of an OCSP response, but less than the validity window of the cert itself (e.g. last month), you'd see this behaviour. The cert would pass basic checks, but would not be considered to have a "valid" OCSP response, and hence get only DV-blue, not EV-green treatment.

(I know the bug is resolved, this is just here in case people have lingering questions about why this happened, or see it again in the future)
(Reporter)

Comment 13

9 years ago
(In reply to comment #12)
> (I know the bug is resolved, this is just here in case people have lingering
> questions about why this happened, or see it again in the future)

Yep, i've been working with ashughes and it has helped us tremendously to see your explanation on how this all works.  We'll be devising some litmus test cases on testing scenarios on the corrected behavior for OCSP responses.   Thanks for clarifying!
You need to log in before you can comment on or make changes to this bug.