Closed Bug 765924 Opened 12 years ago Closed 4 years ago

Don't show additional SSL errors when showing sec_error_unknown_issuer

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: sec-low, Whiteboard: [psm-backlog]) 

>  ringring.mv.mozilla.com uses an invalid security certificate.
>
>  The certificate is not trusted because no issuer chain was provided.
>  The certificate is only valid for ringring.office.mozilla.org
>
>  (Error code: sec_error_unknown_issuer)

When I encounter these pages, I skim for something that looks like an actual error message and stop reading.  In this case, I saw "only valid for ringring.office.mozilla.org" and figured it was safe.  But I should have treated it as unsafe because of "no issuer chain was provided".

(Or, if you're worried about users manually checking fingerprints for the "unknown issuer", make the list of errors a bulleted list.)
Patch:

diff --git a/security/manager/ssl/src/TransportSecurityInfo.cpp b/security/manager/ssl/src/TransportSecurityInfo.cpp
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -1020,6 +1020,7 @@ formatOverridableCertErrorMessage(nsISSL
   if (isUntrusted) {
     AppendErrorTextUntrusted(errorCodeToReport, hostWithoutPort, ix509, 
                              component, returnedMessage);
+    return NS_OK;
   }
 
   bool isDomainMismatch;
I might go even further - we should be showing only exactly the error the certificate verifier returned.
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-backlog]

The new certificate error page took care of this.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.