Open Bug 849722 Opened 10 years ago Updated 6 years ago

improve the messaging to the user when certificate verification results in sec_error_ocsp_unknown_cert

Categories

(Firefox :: Security, enhancement)

enhancement
Not set
normal

Tracking

()

People

(Reporter: hauser, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID: 20130215130331

Steps to reproduce:

quovadis SSL UCC certificate was accesses


Actual results:

Firefox shows "Fehler: Gesicherte Verbindung fehlgeschlagen
      
          Ein Fehler ist während einer Verbindung mit securemail.holcim.com aufgetreten.

Der OCSP-Server hat keinen Status für das Zertifikat.

(Fehlercode: sec_error_ocsp_unknown_cert)

  Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert werden konnte.
  Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren. Alternativ können Sie auch die Funktion im Hilfe-Menü verwenden, um diese Website als fehlerhaft zu melden."

There was only the possibility to retry.


Expected results:

there should be a "more info" button where Details are given, what really happened.
Is the certificate "unknown" or was the status missing - what did the ocsp server send instead, .... ?
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Untriaged → Security: PSM
Ever confirmed: true
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: 19 Branch → Trunk
This is timely, given Heartbleed.

I've just replaced my Certs, but the CA is so overwhelmed that the OCSP server hasn't updated itself with my newly issued and installed certificats for the last 5 hours. 

So visitors cannot access my site. We get a message which isn't very helpful to non-technical users; which doesn't actually help the admin to debug, and which cannot be clicked through to "proceed anyway". (The message also wrongly makes it look like the fault of the server, rather than of the CA).

A proceed-anyway option would be rather helpful - after all, the cert is most probably valid, and usually this is an issue with the CA, rather than the server. [this is the approach taken by Chromium]

At the very least, I think the error message should say something like:

"The domain ($URL) that you are trying to visit is verified by a certificate provided by ($CA).
The certificate authority's server ($URL) responded that does not recognise the certificate, and cannot say whether or not it has been revoked. "
if  (cert_age < 24 hours){
  "The certificate is only [AGE] hours old; the OCSP server may not have updated yet. To
  proceed anyway, click [here]."
}

Thanks for your time.

Btw, I see this on Firefox 24 ESR and Firefox 28.
(In reply to Richard Neill from comment #1)
> "The domain ($URL) that you are trying to visit is verified by a certificate
> provided by ($CA).
> The certificate authority's server ($URL) responded that does not recognise
> the certificate, and cannot say whether or not it has been revoked. "
> if  (cert_age < 24 hours){
>   "The certificate is only [AGE] hours old; the OCSP server may not have
> updated yet. To
>   proceed anyway, click [here]."
> }

According to the latest baseline requirements and Mozilla CA program requirements, we have to interpret "unknown' as "The CA claims that it did not issue this certificate and that it should be presumed stolen."
This seems like more of a front-end action item. All we can really do is improve the error string.
Component: Security: PSM → Security
Product: Core → Firefox
Summary: provide more info in sec_error_ocsp_unknown_cert case → improve the messaging to the user when certificate verification results in sec_error_ocsp_unknown_cert
You need to log in before you can comment on or make changes to this bug.