Closed Bug 562362 Opened 15 years ago Closed 14 years ago

Firefox allows to Add Exception when using HTTPS (TLS/SSL) even if the alert message is fatal

Categories

(Core :: Security: PSM, defect)

x86
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: spam, Unassigned)

Details

(Whiteboard: [psm-cert-exceptions])

User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.5.24 Version/10.52 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) It is somehow related to 520830, although not exactly the same. When connecting to HTTPS site which uses TLS/SSL protocol and is presented with an invalid certificate and encountering a condition, which results in a FATAL message (for example unknown_ca), Firefox displays the "This Connection is Untrusted" warning, however it still allows an exception to be added. rfc5246 states when an implementation encounters a condition, which triggers a fatal alert message, the connection should be immediately terminated: Section 7.2 [...]Alert messages with a level of fatal result in the immediate termination of the connection.[...] As far as I have checked, other major browsers' implementations properly terminate the connection with a fatal error message and don't allow the user to continue. Note that this does not regard warnings, such as wrong subject, expired/revoked certificate, etc, ... which should still allow the user to establish a secure connection based on their discretion (if they trust the other party), but fatal errors, where user should NEVER be allowed to continue. Reproducible: Always Steps to Reproduce: 1. Connect to a HTTPS site which uses an invalid certificate that triggers a fatal alert message (for example, unknown_ca) Actual Results: Firefox allows the user to add the exception and continue Expected Results: Connection to the site should be terminated and the user should not be allowed to proceed.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Reporter, I have trouble to follow your arguments. You say one should terminate the connection. I think we do. We do terminate/close the "TCP/IP socket". We inform the user that such an exception happened. We allow the user to fix the environment. We effectively allow the user to override the "unknown_ca" condition. If the user does that, we allow the user to "retry" using a "new connection". Also, you say, other browsers don't allow to continue. However, in my understanding, other browsers provide the user similar mechanisms to override bad server certificates, and allow to continue, too. Reporter, if you disagree with my words, could you please provide a more detailed scenario? Maybe using an URL, and exact steps of what you did, and what you expect? And the name and version of a different browser, and the behaviour you see in the other browser?
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
I agree with Kai: as written, this is INVALID. On hard-stop errors like a revoked certificate, we do not allow exceptions to be added, but an unknown CA is not one of those conditions. Legitimate circumstances exist (e.g. attempting to connect to a US military site using a cert issued by the US DoD) for users to override the initial failure in the case of an unknown CA. If the RFC says differently, it's wrong. Or, at least, we'll be contravening it (as will every other browser, AFAICT).
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
> attempting to connect to a US military site using a cert issued by the US DoD This is NOT the same type of error. It is much more severe. Unknown CA error usually means that the root certificate is not issued with a Basic Constraints security flag - which means that the CA is NOT allowed to sign other server certificates. In other words, if I have one valid (end-entity) certificate issued by a trusted certificate authority, I'would be able to issue certificates for an arbitrary entity with it (for example, issue a paypal.com SSL certificate using a cheapest personal certificate!) and the certificate AND the certificate chain would appear OK, EXCEPT for the fact that my certificate in the chain doesn't have a Basic Constraint field, which triggers the Unknown CA error. Here's a link to an old vulnerability (that was common at the time) regarding this: http://www.securityfocus.com/bid/5410/discussion/ > could you please provide a more detailed scenario? Maybe using an URL, and exact steps of what you did, and what you expect? And the name and version of a different browser, and the behaviour you see in the other browser? Unfortunately, I don't currently have an URL where this behaviour could be tested (the one I was testing it on was fixed recently. I might be able to set up a test site somewhere, though. Regarding the other browsers, I tested this in the latest versions Opera, Internet Explorer and Chrome. None of them allowed me to continue when such error was detected. The only way some of those browsers allowed me to continue was to manually install and trust a root certificate to indicate that I trust it. I hope I made myself a little clearer. The problem with this specific type of error is that the reason behind it is not clearly evident - if the user encounters such error, they would have a difficult time finding anything wrong even by manually inspecting the certificate (all data, including certificate chain can APPEAR to be valid), while in fact it could be a fake certificate. I can't really think of any legitimate circumstances where this could occur.
@spam: Is Firefox' default behaviour with this site what you are worried about? https://www.cacert.org Using Opera, I'm able to "continue anyway". It's even *easier* with Opera. Opera will complain about the site, bring up a prompt, and clicking "Approve" is sufficient to connect anyway.
(In reply to comment #5) > @spam: > > Is Firefox' default behaviour with this site what you are worried about? > https://www.cacert.org I mean, is the behaviour you get with Firefox, when you connect to that site, the issue you are referring to?
> I mean, is the behaviour you get with Firefox, when you connect to that site, the issue you are referring to? Not exactly. On this site the error occurs because the issuer certificate is missing (the chain is "incomplete"), while the issue I'm talking about is when the certificate was signed by the "authority" which is not allowed to sign certificates.
(In reply to comment #4) > > attempting to connect to a US military site using a cert issued by the US DoD > > This is NOT the same type of error. It is much more severe. > > Unknown CA error usually means that the root certificate is not issued with a > Basic Constraints security flag - which means that the CA is NOT allowed to > sign other server certificates. I marked this as invalid based on the understanding that the original reporter was complaining about behaviour in the face of untrusted CAs. Since his subsequent comments seem to suggest that his concern lies elsewhere, with certs that chain to roots which should not be used as CAs, I'll reverse that and leave it to the experts.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Ok, maybe you're refering to the following test environment: Go to http://www.cacert.org/certs/root.crt Do NOT check any of the boxes, but confirm to download the cert. (This will make the cert known, but without trusting it.) Go to http://www.cacert.org/certs/class3.crt and do the same. Now go to https://www.cacert.org Firefox will still allow the user to add an execption. I did the equivalent with the opera browser (linux v10), and was not given a choice to proceed anyway. I received error message "cert valid, but permission denied". Is this your point?
Here is what I was talking about. I tried to replicate this (I hope I haven't screwed up somewhere else) by issuing an SSL server certificate by a CA which is not allowed to issue certificates. Here's the test server: https://darko.leeloo.si Here's what happens when I visit this site in different browsers (Windows versions): Opera 10.60: immediately gives the "Secure connection: fatal error (554)" and doesn't allow me to continue. Internet Explorer 8: shows a warning about a certificate and gives me the option to continue, however fails immediately thereafter. Note the first warning was because the issuer was not trusted; if the CA certificate is installed locally and trusted, the first warning does not show but the connection still fails. Chrome: says "Invalid Server Certificate". No option to continue. Safari: says "can’t establish a secure connection to the server". No option to continue. Firefox: displays the "sec_error_unknown_issuer" and allows me to continue. Site works.
Your site at https://darko.leeloo.si sends a chain of two certificates, including a root CA, which is not trusted by Firefox (of course, that's your test setup). A dump of the root CA cert looks like this: Version: 3 (0x2) Serial Number: 00:d0:55:53:a7:d4:da:03:18 Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: "CN=My Company CA,C=US,ST=State or Providence,L=My Town,O=My Company" Validity: Not Before: Mon Jun 07 19:53:47 2010 Not After : Tue Jun 07 19:53:47 2011 Subject: "CN=My Company CA,C=US,ST=State or Providence,L=My Town,O=My Company" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ... Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Data: Is not a CA. Name: Certificate Subject Key ID Data: 0a:05:47:09:26:c8:4c:bc:26:51:fe:ff:c2:f6:22:df: a5:15:c3:52 Name: Certificate Authority Key Identifier Key ID: 0a:05:47:09:26:c8:4c:bc:26:51:fe:ff:c2:f6:22:df: a5:15:c3:52 Issuer: Directory Name: "CN=My Company CA,C=US,ST=State or Providence ,L=My Town,O=My Company" Serial Number: 00:d0:55:53:a7:d4:da:03:18 Your CA certificate clearly says "this is not a CA". I believe that's your point: Firefox allows to override "root certificate is clearly not a CA cert", while other browser forbid to override in that scenario.
Whiteboard: [psm-cert-error-pages]
Whiteboard: [psm-cert-error-pages] → [psm-cert-exceptions]
We don't assume that the list of certs sent to us by an SSL server is a complete chain, or even a chain at all. Some servers actually send multiple separate chains. Our browser works quite well with those, as do most other browsers. We assume only that the first cert in the list is the server cert. We take that cert and attempt to construct a chain from the other certs that came along with it, and from the previously collected and stored valid CA certs, that leads to a known and trusted issuer. A cert that is not a CA cert cannot be an issuer of another cert, by definition. But there may be other certs with the same subject name that are CA certs. A CA may issue both CA and non-CA certs to the same subject name. Therefore, one cannot conclude, based on the finding of a single non-CA cert with a given subject name, that the subject is never a CA. Therefore, when we go looking for the issuer of your server cert, we only search through CA certs. We do not find any CA cert with the name your server cert lists as its issuer, so we conclude the issuer is an unknown issuer. The existence of a non-CA cert with the same subject name is simply irrelevant.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.