Implement UI to deal with missing fresh revocation information (override if neither OCSP nor CRL)

RESOLVED WONTFIX

Status

Core Graveyard
Security: UI
RESOLVED WONTFIX
6 years ago
a year ago

People

(Reporter: kaie, Unassigned)

Tracking

(Depends on: 2 bugs)

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
Implement UI to deal with missing fresh revocation information (override if neither OCSP nor CRL)

If neither fresh OCSP information nor fresh CRL information is available when visiting a secure site, and when strict revocation checking is enabled, the user's connection attempt will be blocked - which is a particularly bad user experience at captive portals.

This UI should make use of captive portal detection.

In general, missing OCSP/CRL should be treated by giving strong security warnings, and users should be allowed to "connect anyway", but in general we should strongly discourage them from connecting anyway (similar as today's bad certificate error page).

However, whenever a captive portal is detected, the UI might be slightly less discouraging, together with a good explanation, and asking the user to verify that "being at a captive portal is really expected".

Any such overrides added while being at the captive portal (not yet paid) should automatically be removed immediately after the captive portal switches to open (now paid).
Depends on: 816866
No longer depends on: 816866
This isn't something we can do right now. If the problems with servers stapling expired OCSP responses have taught us anything, it's that this would break the web for too many people.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
(Assignee)

Updated

a year ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.