Closed Bug 539939 Opened 12 years ago Closed 5 years ago

Security Popup for a certificate warning casues Thunderbird to get stuck in a loop which forces the user to have to kill the OS process

Categories

(Thunderbird :: Security, defect)

x86
macOS
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: kpierno, Unassigned)

References

(Depends on 1 open bug)

Details

Attachments

(5 files, 2 obsolete files)

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.17) Gecko/2009122115 Firefox/3.0.17
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0

When you receive a message with secure web content for a server with a certificate issue and click "Show Remote Content" in the message preview  Thunderbird will popup a security dialog. This dialog will give you 2 options "View Certificate" and "Cancel". When you click "View Certificate" you can see the details but cannot add an exception for the cert your only option is to close the cert. Closing the cert will bring you back to the original popup. When you click "Cancel" you become stuck in a loop where Thunderbird keeps launching the popup everytime you click "Cancel". The only way to break out of the loop is to kill the process on the OS using "Force Quit". Now everytime I select the message in the folder it enters back into the Security Warning loop.

Reproducible: Always

Steps to Reproduce:
1. Send message with embedded web content from a secure server with a certificate issue. (My message was from a server with a certificate that did not include the subdomain but was otherwise valid)
2. Select message in standard tri-pane configuration (folder list, message list, message preview)
3. Click the "Show Remote Content" in the preview pane.
4. Click "View Certificate" button in popup
5. Click "Close" in the certificate popup
6. Click "Cancel in the current popup
7. Force Quit Thunderbird since you are now stuck in the loop
8. Relaunch Thunderbird
9. Select problem message
10. Attempt to Cancel the popup
Actual Results:  
Once the Security popup activates you are unable to do anything to get out of the loop and are forced to kill the application's OS process.

Expected Results:  
Popup should close after clicking cancel and disable the remote content in the preview pane.

  System Version:	Mac OS X 10.5.8 (9L31a)
  Kernel Version:	Darwin 9.8.0
Attached image Screenshot of offending Certificate (obsolete) —
Screenshot of offending Certificate after clicking on "View Certificate" in the original security popup.
Attached image Screenshot of Security popup (obsolete) —
Screenshot of Security popup after clicking on "Show Remote Content" in the preview pane.
Set version to 3.0 since this version that I am using.
Version: unspecified → 3.0
can you post png or jpeg not Tiff for the screenshot.

So this could be bug 531549 bug 487498 or bug 362395
Component: General → Security
QA Contact: general → thunderbird
Here is the screenshot in .png format
Attachment #421825 - Attachment is obsolete: true
PNG replacement for the tiff of the security popup
Attachment #421826 - Attachment is obsolete: true
I believe that this won't happen currently because of bug 739563, but once bug 739563 is fixed, it is likely to start happening again.
Depends on: 739563
I'm seeing a scenario that I think is better to add as a comment here rather than create a new bug report. The specific scenario seen on Thunderbird 12.0 on Windows XP is:

1. Thunderbird is open.
2. Self-signed certificate for my mail server expires (silly me, why did I only make it a year long?)
3. Thunderbird presents an Add Security Exception dialog (screenshot attached).
4. Dialog reappears, seemingly in an infinite loop, whether I choose "Confirm Security Exception" or "Cancel" (first time I chose "Confirm Security Exception").
5. Kill Thunderbird process and restart Thunderbird. Security exception has taken effect. (no dialogs presented).
Confirming per comment 8.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I have just noticed this behaviour reappearing in Daily 23.0a1 perhaps as indicated in Comment 7 bug 739563

https://bugzilla.mozilla.org/show_bug.cgi?id=739563 

has been patched into the latest Daily

I checked with early bird (same profile) and the issue is not there. 
then when I opened Daily after closing EarlyBird, the issue seems to have gone away, so presumably EarlyBird resolved the storing of the security exception?
Had this on 17.0.8 / Windows.
Pressing the escape button seemed to get me out of the loop.
It happens on 31.2.0 on both Linux-64 and Windows versions (English US).  Once killed, you can confirm the certificate exception is in place in the Certificate Manager and are able to access the server with no further issue.
Do you also see this when using version 45?
Flags: needinfo?(ruben)
Flags: needinfo?(kiddm_mozilla)
Flags: needinfo?(hckpost)
Flags: needinfo?(alex)
No.  I see the alt text and am given no option to see the remote content with invalid certificate.

Tested using email with the following content (both www.ecospro.com and www.ecoscentric.com resolve to the same IP and server fudged to use the same cert so cert www.ecospro.com will be invalid):

<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <img alt="ecospro"
      src="https://www.ecospro.com/images/sliders/support.jpg"><br>
    <img alt="ecoscentric"
      src="https://www.ecoscentric.com/images/sliders/support.jpg"><br>
  </body>
</html>
Flags: needinfo?(alex)
Thanks Alex.  I'll close so no one else need reply unless they disagree
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(ruben)
Flags: needinfo?(kiddm_mozilla)
Flags: needinfo?(hckpost)
Resolution: --- → WORKSFORME
Not exactly the same scenario but I had something similar happen when using Thunderbird 45 on my travel XP craptop over the holidays. My mail server certificate had expired but I hadn't updated Thunderbird with the new certificate yet. This led to some sort of strange issue where I think I ended up having to kill the Thunderbird process. But I would have a hard time reproducing the scenario.

FWIW, several buttons, e.g. Send for an e-mail, don't seem to work for Thunderbird on XP. I had to revert all the way back to Thunderbird 38.8.0 to get back to a functioning program on XP (Windows 7 is fine). But I should file a separate bug report for this issue.

Still have the problem on thunderbird 68.11.0 on linux fc31 x86_64.

I have this happen periodically, and if it helps as a clue, my server uses Let's Encrypt, on a certificate that is shared by multiple domains. When this happens, no button on the modal window has any effect except to close the window, which immediately pops back up, preventing me from doing anything else in thunderbird, requiring me to close the program down and starting it back up.

Not sure what the difference between this bug and bug #493980 is, but from what I can tell they are duplicates.

(In reply to insaner from comment #19)

Still have the problem on thunderbird 68.11.0 on linux fc31 x86_64.

Good day, TB 68 is EOL hence no longer supported. If you can reproduce this problem with TB 78, pls file new bug with numbered steps to reproduce, every detail matters.

Not sure what the difference between this bug and bug #493980 is, but from what I can tell they are duplicates.
Bug #493980 symptoms look same, but it was fixed 12 years ago. Code changes...

Flags: needinfo?(mozillabugs)

(In reply to Thomas D. (:thomas8) from comment #21)

(In reply to insaner from comment #19)

Still have the problem on thunderbird 68.11.0 on linux fc31 x86_64.

Good day, TB 68 is EOL hence no longer supported. If you can reproduce this problem with TB 78, pls file new bug with numbered steps to reproduce, every detail matters.

I found that I can install 78 from the repos, but before I do, are there any flags or something like that that I can set in tbird to create a better report? Debug traces or something like that? The problem only happens to me about once every 4 months or so (probably in conjunction to the certificate being renewed while tbird is running), so I'd like to be ready for it when it does (I might be able to request a manual renewal from my mail provider to try to debug the problem).

Not sure what the difference between this bug and bug #493980 is, but from what I can tell they are duplicates.
Bug #493980 symptoms look same, but it was fixed 12 years ago. Code changes...

Yeah I've actually had this problem for years, likely more than those 12+ years in fact, but this time I was working on a big project requiring many open windows and running into it again was sufficient motivation to come check the bug reports and see what's happening.

Flags: needinfo?(mozillabugs) → needinfo?(bugzilla2007)

insaner, I think the main thing is to file a new bug, with a testcase if at all possible.
Another possibility is to try beta https://www.thunderbird.net/en-US/#channel
Backup your profile first. And test with a new profile.

Flags: needinfo?(bugzilla2007)

For anyone landing here from a search engine, I filed Bug 1708933.

See Also: → 1708933
You need to log in before you can comment on or make changes to this bug.