Closed
Bug 765924
Opened 12 years ago
Closed 4 years ago
Don't show additional SSL errors when showing sec_error_unknown_issuer
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: sec-low, Whiteboard: [psm-backlog])
> ringring.mv.mozilla.com uses an invalid security certificate. > > The certificate is not trusted because no issuer chain was provided. > The certificate is only valid for ringring.office.mozilla.org > > (Error code: sec_error_unknown_issuer) When I encounter these pages, I skim for something that looks like an actual error message and stop reading. In this case, I saw "only valid for ringring.office.mozilla.org" and figured it was safe. But I should have treated it as unsafe because of "no issuer chain was provided". (Or, if you're worried about users manually checking fingerprints for the "unknown issuer", make the list of errors a bulleted list.)
Comment 1•12 years ago
|
||
Patch: diff --git a/security/manager/ssl/src/TransportSecurityInfo.cpp b/security/manager/ssl/src/TransportSecurityInfo.cpp --- a/security/manager/ssl/src/TransportSecurityInfo.cpp +++ b/security/manager/ssl/src/TransportSecurityInfo.cpp @@ -1020,6 +1020,7 @@ formatOverridableCertErrorMessage(nsISSL if (isUntrusted) { AppendErrorTextUntrusted(errorCodeToReport, hostWithoutPort, ix509, component, returnedMessage); + return NS_OK; } bool isDomainMismatch;
I might go even further - we should be showing only exactly the error the certificate verifier returned.
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-backlog]
The new certificate error page took care of this.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•