Closed
Bug 706392
Opened 13 years ago
Closed 6 years ago
User interface for OSCP-revoked SSL cert is unclear
Categories
(Firefox :: Security, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1486551
People
(Reporter: list2011, Unassigned)
References
Details
(Whiteboard: [fxprivacy])
Attachments
(1 file)
|
31.49 KB,
image/png
|
Details |
absa-stuffed-up.png
User Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20100101 Firefox/8.0
Build ID: 20111104165243
Steps to reproduce:
I browsed to https://www.absastockbrokers.co.za/ at the time that they had failed to install their new certificate, and their issuer had REVOKED their current certificate.
Actual results:
The correct SSL message was displayed , but it was not possible to get any more information. Since no SSL is established, even in a provisional way, it is not possible to view the certificate, and to see what element of the certificate has been revoked (e.g. the peer certificate, or a signing certificate higher up in the chain). I was left with shock, horror and disbelief. I considered creative ways of sorting out the problem - perhaps there is an SSL revocation verifier out there (didn't find one).
Searching the internet found me the following gem of security advice:
* Turn off OSCP (and how to do it).
Phoning the provider (a bank) provided the following equally amazing gem of security advice:
* Yes, there is a problem with Firefox, can you try Internet explorer? (An old enough version will not have OSCP.)
For reference, the somewhat terse message was:
" https://www.absastockbrokers.co.za
Secure Connection Failed
An error occurred during a connection to www.absastockbrokers.co.za.
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. "
Since the site is reported as "broken", the possibility of a real genuine security failure is ignored, and users will gladly accept insecure workarounds.
Expected results:
* The authority for the OSCP revocation should be displayed (OSCP is signed by the issuer - so that signature establishes their authority).
* The time at which the OSCP revocation was received by the browser should be displayed. (This is a current problem, and has not been resolved.)
* It should be possible to display the invalid certificate chain, with nice red bits around the part that was revoked, and arrows and little UML men that say who revoked it and when we noticed that. Maybe it can be done without UML men and arrows.
with the revocation of startcom certs support requests around this have been cropping up more frequently on irc (most recently with https://smuxi.im/).
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86 → All
|
||
Comment 2•8 years ago
|
||
Panos, is this something your team can look at improving?
Flags: needinfo?(past)
|
||
Comment 3•8 years ago
|
||
If the platform bits are in place we can look into it. David, can we treat SEC_ERROR_REVOKED_CERTIFICATE errors as about:certerror cases (instead of about:neterror) and display the certificate chain to the user?
Flags: needinfo?(past) → needinfo?(dkeeler)
|
||
Comment 4•8 years ago
|
||
We would need to fix bug 943937 first and then add additional information about OCSP responses, etc.
Flags: needinfo?(dkeeler)
|
|
||
Updated•8 years ago
|
|
||
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [fxprivacy][triage] → [fxprivacy]
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•