<a class="header-button" href="https://bugzilla.mozilla.org/home" title="Go to home page"> Bugzilla

Comment 1

•

12 years ago

Looks like all https websites have Not Specified Verification eg: youtube, engadget etc. Is this expected Tanvi? If so we can close this bug.

Flags: needinfo?(tanvi)

Updated

•

12 years ago

QA Contact: mihai.morar

Comment 2

•

12 years ago

Hmm, the cert on that page looks like a valid cert to me. I tried in FF 21 and in FF 24. Adding Camilo who is the expert on the subject, just in case I missed something.

Flags: needinfo?(tanvi) → needinfo?(cviecco)

Camilo Viecco (:cviecco)

Comment 3

•

12 years ago

I am using OSX and the getting the same behavior as tanvi: 'Verified by $NAME_OF_CA' Mihal, what os are you using?

Flags: needinfo?(cviecco)

Comment 4

•

12 years ago

(In reply to Camilo Viecco (:cviecco) from comment #3) > I am using OSX and the getting the same behavior as tanvi: 'Verified by > $NAME_OF_CA' Mihal, what os are you using? I am using Mac OS 10.8 and 10.7

crackme_hackyou

Reporter

Comment 5

•

12 years ago

Hi all, Thanks for noticing this bug. Apparently, both IE and Chrome do not show such behavior with this website and with other websites. In Firefox v20.0.1, the certificates were recognized correctly. Firefox v21 onwards this problem occurs.

Updated

•

12 years ago

Keywords: regressionwindow-wanted

Comment 6

•

12 years ago

I'll try to find regressionwindow ASAP.

Comment 7

•

12 years ago

Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/5f9775715519 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130130 Firefox/21.0 ID:20130130050547 Bad: http://hg.mozilla.org/mozilla-central/rev/2cc710018b14 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130130 Firefox/21.0 ID:20130130072130 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5f9775715519&tochange=2cc710018b14 Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/dd6cfdf29d03 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130129 Firefox/21.0 ID:20130129233747 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/8da4794af394 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130130 Firefox/21.0 ID:20130130000805 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd6cfdf29d03&tochange=8da4794af394 Suspected: Bug 822367

Blocks: 822367

Status: UNCONFIRMED → NEW

tracking-firefox22: --- → ?

tracking-firefox23: --- → ?

tracking-firefox24: --- → ?

tracking-firefox25: --- → ?

Ever confirmed: true

Keywords: regressionwindow-wanted → regression

Comment 8

•

12 years ago

FYI, It works as expected if I set security.mixed_content.block_display_content = true

Comment 9

•

12 years ago

(In reply to Alice0775 White from comment #8) > FYI, > It works as expected if I set security.mixed_content.block_display_content = > true This setting will block Mixed Display Content loads on the page. I'm not sure why this fixes the issue, but it does cause the mixed content favicon load to be blocked: Blocked loading mixed display content "http://www.netaddress.com/favicon.ico" @ chrome://browser/content/browser.js:11323

Comment 10

•

12 years ago

(In reply to Alice0775 White from comment #7) Thanks Alice for regressionrange!

Comment 11

•

12 years ago

Looks like any Mixed Content load after FF21 causes a page to say "Verified By: Not Specified". I'm not sure why yet. Is there a way to install a FF 20 build for testing?

Alex Keybl [:akeybl]

Comment 12

•

12 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #11) > Is there a way to install a FF 20 build for testing? https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/20.0/win32/en-US/Firefox%20Setup%2020.0.exe Please renominate with justification if you feel this is critical.

tracking-firefox22: ? → -

tracking-firefox23: ? → -

tracking-firefox24: ? → -

tracking-firefox25: ? → -

Comment 13

•

12 years ago

For the Mixed Content Blocker, we had to make some changes to nsSecureBrowserUIImpl. Here are the changes made to that file: http://hg.mozilla.org/mozilla-central/rev/9c8970c4523f The security state was determined by lockIconState parameter. This code is not changed. But, we do a second check for Mixed Content. If Mixed Content exists (which we determine by flags on the docshell) we will update the security state. Without this patch, the security state would still be STATE_IS_BROKEN for most mixed content page loads. It wouldn't catch everything, but it would catch most of the cases. Since this "Verified By: Not Specified" seems to be occurring on every mixed content load, we can assume that it's not because we are catching a STATE_IS_BROKEN case that we were not previously catching. In addition to the STATE_IS_BROKEN flag, we add a few more mixed content flags, but the extra flags are only checked in the MCB code, so shouldn't affect the cert verification code.

Comment 14

•

12 years ago

I installed FF 20 and go to https://people.mozilla.com/~tvyas/mixeddisplay.html. This is an SSL page with Mixed Display content. The pref to block mixed display content is turned off (the mixed content image loads). When I click on Larry and go to More Information, I get "Verified By: Not Specified". Maybe the regression range is incorrect? Is this platform specific? I tested on Mac OS X 10.7.

Comment 15

•

12 years ago

I tested on FF 17 on my Mac. I go to https://www.nytimes.com (which has mixed content). Verified By says Not Specified. I go to https://boston.com (which has mixed content). Verified By says Not Specified. The first time any MCB code landed was in FF 18 with bug 62178. Unless this is platform specific, it seems like the behavior has not changed. When a user visits a mixed content page, they will not get SSL cert information.

Comment 16

•

12 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #14) > I installed FF 20 and go to > https://people.mozilla.com/~tvyas/mixeddisplay.html. This is an SSL page > with Mixed Display content. The pref to block mixed display content is > turned off (the mixed content image loads). When I click on Larry and go to > More Information, I get "Verified By: Not Specified". > > Maybe the regression range is incorrect? No. The regression window of comment#7 is correct. > Is this platform specific? No. I can reproduce the behavior of commnet#14 since Firefox3.5 on windows7. So, I think your testcase of comment#14 is different bug. (though root cause may be same)

Comment 17

•

12 years ago

Okay, then maybe I am missing something. Alice, can you provide the exact steps to reproduce and indicate what you observe (and where in the UI you observe it) on FF 20 vs FF21+. Make sure that the prefs for security.mixed_content.block_display_content and security.mixed_content.block_active_content are set to false, so that nothing is blocked. Thanks for your help!

Comment 18

•

12 years ago

(In reply to Alice0775 White from comment #16) > > Is this platform specific? > > No. > I can reproduce the behavior of commnet#14 since Firefox3.5 on windows7. > Perhaps this is a windows only bug? I have a Mac and Linux machine I can test with, but not windows.

Comment 19

•

12 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #17) > Okay, then maybe I am missing something. Alice, can you provide the exact > steps to reproduce and indicate what you observe (and where in the UI you > observe it) on FF 20 vs FF21+. Make sure that the prefs for > security.mixed_content.block_display_content and > security.mixed_content.block_active_content are set to false, so that > nothing is blocked. > > Thanks for your help! Step to Reproduce: 1. Start Firefox with newly created clean profile,. 2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net Actual Results: The gray earth icon displayed in the location bar. Expected Results; Padlock icon should be displayed.

Comment 20

•

12 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #17) > Okay, then maybe I am missing something. Alice, can you provide the exact > steps to reproduce and indicate what you observe (and where in the UI you > observe it) on FF 20 vs FF21+. Make sure that the prefs for > security.mixed_content.block_display_content and > security.mixed_content.block_active_content are set to false, so that > nothing is blocked. > > Thanks for your help! Step to Reproduce: 1. Start Firefox with newly created clean profile,. 2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net Actual Results: The gray earth icon displayed in the location bar. In the page info, security, Website Identity indicated 'Verified By: Not Specified' Expected Results; Padlock icon should be displayed. In the page info, security, Website Identity should be indicated 'Verified By: Entrust, Inc'. I can also reproduce the problem on ubuntu12.04 i686 build.

Updated

•

12 years ago

OS: Windows 7 → All

Comment 21

•

12 years ago

(In reply to Alice0775 White from comment #20) > > Step to Reproduce: > 1. Start Firefox with newly created clean profile,. > 2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net > > Actual Results: > The gray earth icon displayed in the location bar. > This is expected behavior. There is mixed content on the page, which means the page is not 100% encrypted and hence Firefox will not show the user the padlock. When you set security.mixed_content.block_display_content to true, you block that mixed content from loading. Hence the page is then 100% encrypted and you do see the padlock. A page that is fully encrypted looks like this: https://people.mozilla.com/~tvyas/FigureC.jpg A page with Mixed Display Content (http images/media/etc embedded on the page) looks like this: https://people.mozilla.com/~tvyas/FigureE.jpg A page with Mixed Active Content (http script/objects/css/etc embedded on the page) looks like this in Firefox 23+: https://people.mozilla.com/~tvyas/FigureD.jpg For more information on Mixed Content, see here: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ > In the page info, security, > Website Identity indicated 'Verified By: Not Specified' > It seems like Firefox will set Verified By to Not Specified on any SSL page with Mixed Content. Camilo and Brian can decide whether or not this is expected/intended behavior. This behavior has existed since at least FF 17 (that's the furthest back I checked).

Comment 22

•

12 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #21) > > In the page info, security, > > Website Identity indicated 'Verified By: Not Specified' > > > It seems like Firefox will set Verified By to Not Specified on any SSL page > with Mixed Content. Camilo and Brian can decide whether or not this is > expected/intended behavior. > This behavior has existed since at least FF 17 > (that's the furthest back I checked). No. This problem happens since Firefox21. PLEASE TRY STR of comment #20.

Comment 23

•

12 years ago

(In reply to Alice0775 White from comment #20) > Step to Reproduce: > 1. Start Firefox with newly created clean profile,. > 2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net > > Actual Results: > The gray earth icon displayed in the location bar. > In the page info, security, > Website Identity indicated 'Verified By: Not Specified' > > Expected Results; > Padlock icon should be displayed. > In the page info, security, > Website Identity should be indicated 'Verified By: Entrust, Inc'. > Okay, I see what this issue is now. If you visit a mixed content page with FF 20 and prior, you will get the following behavior in MOST cases: > The gray earth icon displayed in the location bar. > In the page info, security, > Website Identity indicated 'Verified By: Not Specified' Some examples are: https://www.nytimes.com, https://boston.com, https://people.mozilla.com/~tvyas/mixeddisplay.html, https://people.mozilla.com/~tvyas/mixedcontent.html. For all of these pages, you will see the gray earth icon instead padlock in the location bar. That is intended behavior. In Firefox 21+, we improved the Mixed Content detection code. This means we starting catching Mixed Content cases that we did not catch before. https://www.netaddress.com/tpl/Door/Login?Domain=usa.net is an example of such a case. The Mixed Content favicon loaded on this page was not detected (http://www.netaddress.com/favicon.ico) in FF 20 and prior. Hence, when you visit https://www.netaddress.com/tpl/Door/Login?Domain=usa.net in FF 20 and prior you see: > Padlock icon should be displayed. > In the page info, security, > Website Identity should be indicated 'Verified By: Entrust, Inc'. When really you should have seen the gray earth icon. Since we improved the Mixed Content detection, you now do see the gray globe icon instead of the padlock on FF21+ for this page. ------------ As far as the "Verified By: Not Specified", this behavior is observed on all pages that Firefox detects with Mixed Content. Whether this is intended or not is up to Camilo and Brian.

Updated

•

12 years ago

No longer blocks: 822367

Michael Lefevre

Comment 24

•

12 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #23) > When really you should have seen the gray earth icon. Since we improved the > Mixed Content detection, you now do see the gray globe icon instead of the > padlock on FF21+ for this page. So, this was an intended change - that makes sense. However, if I visit (using 23.0b4 - haven't tried nightly I'm afraid) https://www.nytimes.com/, I get the mixed-content doorhanger. Visiting https://www.netaddress.com/tpl/Door/Login?Domain=usa.net , I don't get the mixed-content warning - is there a reason for that inconsistency?

Michael Lefevre

Comment 25

•

12 years ago

Also, maybe the bug reporter or someone could get in touch with the email provider and explain to them that the insecure favicon is causing this mixed-content problem, which was an intentional change in Firefox? Seems like it should be a simple fix (the favicon loads fine from https as well).

crackme_hackyou

Reporter

Comment 26

•

12 years ago

Hi Tanvi & Michael, I already contacted my email provider and provided them with the required info a month ago, they assured me of trying to fix it in coordination with Mozilla but I personally preferred to lodge a bug report to Mozilla directly as well. So, as I can make out from the comments above if I blocked the mixed content feature from about:config will the normal padlock show or... is there any way to make all mixed content pages show normally so that there is no compromise on security?

Comment 27

•

12 years ago

(In reply to Michael Lefevre from comment #24) > However, if I visit (using 23.0b4 - haven't tried nightly I'm afraid) > https://www.nytimes.com/, I get the mixed-content doorhanger. Visiting > https://www.netaddress.com/tpl/Door/Login?Domain=usa.net , I don't get the > mixed-content warning - is there a reason for that inconsistency? Yes. The Mixed Content Blocker will block Mixed Active Content (like scripts, objects, css, etc) but not Mixed Display Content (like images) by default. Here is another example of an HTTPS page with mixed display content. You can see that the padlock is replaced by the globe, but that there is no doorhanger: https://people.mozilla.com/~tvyas/mixeddisplay.html You can get more info on the Mixed Content Classifications here: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#Mixed_Content_Classifications Also, if you want to block Mixed Display Content also, you can by following these steps: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#footnote2

Comment 28

•

12 years ago

(In reply to Michael Lefevre from comment #25) > Also, maybe the bug reporter or someone could get in touch with the email > provider and explain to them that the insecure favicon is causing this > mixed-content problem, which was an intentional change in Firefox? Seems > like it should be a simple fix (the favicon loads fine from https as well). We have been filing bugs for some pages that we find that have Mixed Active Content (tracking bug 844556). Mixed Display Content is unfortunately all over the web.