SSL Certificate: Verified By: Not Specified

NEW
Unassigned

Status

()

5 years ago
4 years ago

People

(Reporter: crackme_hackyou, Unassigned)

Tracking

({regression, sec-other})

21 Branch
x86
All
regression, sec-other
Points:
---

Firefox Tracking Flags

(firefox22-, firefox23-, firefox24-, firefox25-)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 759508 [details]
Untitled.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803

Steps to reproduce:

Accessing log-in page for my email account at https://www.netaddress.com/tpl/Door/Login?Domain=usa.net




Actual results:

Firefox identifies SSL certificate on the page as "Verified By: Not Specified" in v21. 

Therefore, Firefox identifies a partial HTTPS connection to the website whereas that should not be the case.



Expected results:

In v20.0.1, Firefox correctly identified the SSL certificate on the homepage as "Verified By: Entrust, Inc".

However, in v21 it does not do the same. 

Using default Firefox settings with no changes whatsoever on Windows 7 SP1.

Furthermore, I took this issue up with my email provider and they say that the SSL certificate on this login page has no problems whatsoever. 

Therefore, has there been any changes made to the way Firefox identifies SSL certificates in v21? Because never faced this issue in v20.0.1.
(Reporter)

Updated

5 years ago
Component: Untriaged → Security
Keywords: sec-other
Looks like all https websites have Not Specified Verification eg: youtube, engadget etc. Is this expected Tanvi? If so we can close this bug.
Flags: needinfo?(tanvi)
QA Contact: mihai.morar

Comment 2

5 years ago
Hmm, the cert on that page looks like a valid cert to me.  I tried in FF 21 and in FF 24.  Adding Camilo who is the expert on the subject, just in case I missed something.
Flags: needinfo?(tanvi) → needinfo?(cviecco)
I am using OSX and the getting the same behavior as tanvi: 'Verified by $NAME_OF_CA' Mihal, what os are you using?
Flags: needinfo?(cviecco)
(In reply to Camilo Viecco (:cviecco) from comment #3)
> I am using OSX and the getting the same behavior as tanvi: 'Verified by
> $NAME_OF_CA' Mihal, what os are you using?

I am using Mac OS 10.8 and 10.7
(Reporter)

Comment 5

5 years ago
Hi all,

Thanks for noticing this bug. 

Apparently, both IE and Chrome do not show such behavior with this website and with other websites.

In Firefox v20.0.1, the certificates were recognized correctly. Firefox v21 onwards this problem occurs.
Keywords: regressionwindow-wanted
I'll try to find regressionwindow ASAP.

Comment 7

5 years ago
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/5f9775715519
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130130 Firefox/21.0 ID:20130130050547
Bad:
http://hg.mozilla.org/mozilla-central/rev/2cc710018b14
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130130 Firefox/21.0 ID:20130130072130
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5f9775715519&tochange=2cc710018b14

Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/dd6cfdf29d03
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130129 Firefox/21.0 ID:20130129233747
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/8da4794af394
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130130 Firefox/21.0 ID:20130130000805
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd6cfdf29d03&tochange=8da4794af394

Suspected: Bug 822367
Blocks: 822367
Status: UNCONFIRMED → NEW
tracking-firefox22: --- → ?
tracking-firefox23: --- → ?
tracking-firefox24: --- → ?
tracking-firefox25: --- → ?
Ever confirmed: true
Keywords: regressionwindow-wanted → regression

Comment 8

5 years ago
FYI,
It works as expected if I set security.mixed_content.block_display_content = true

Comment 9

5 years ago
(In reply to Alice0775 White from comment #8)
> FYI,
> It works as expected if I set security.mixed_content.block_display_content =
> true

This setting will block Mixed Display Content loads on the page.  I'm not sure why this fixes the issue, but it does cause the mixed content favicon load to be blocked:

Blocked loading mixed display content "http://www.netaddress.com/favicon.ico" @ chrome://browser/content/browser.js:11323
(In reply to Alice0775 White from comment #7)

Thanks Alice for regressionrange!

Comment 11

5 years ago
Looks like any Mixed Content load after FF21 causes a page to say "Verified By: Not Specified".  I'm not sure why yet.

Is there a way to install a FF 20 build for testing?
(In reply to Tanvi Vyas [:tanvi] from comment #11)
> Is there a way to install a FF 20 build for testing?

https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/20.0/win32/en-US/Firefox%20Setup%2020.0.exe

Please renominate with justification if you feel this is critical.
tracking-firefox22: ? → -
tracking-firefox23: ? → -
tracking-firefox24: ? → -
tracking-firefox25: ? → -

Comment 13

5 years ago
For the Mixed Content Blocker, we had to make some changes to nsSecureBrowserUIImpl.  Here are the changes made to that file:

http://hg.mozilla.org/mozilla-central/rev/9c8970c4523f

The security state was determined by lockIconState parameter.  This code is not changed.  But, we do a second check for Mixed Content.  If Mixed Content exists (which we determine by flags on the docshell) we will update the security state.

Without this patch, the security state would still be STATE_IS_BROKEN for most mixed content page loads.  It wouldn't catch everything, but it would catch most of the cases.  Since this "Verified By: Not Specified" seems to be occurring on every mixed content load, we can assume that it's not because we are catching a STATE_IS_BROKEN case that we were not previously catching.

In addition to the STATE_IS_BROKEN flag, we add a few more mixed content flags, but the extra flags are only checked in the MCB code, so shouldn't affect the cert verification code.

Comment 14

5 years ago
I installed FF 20 and go to https://people.mozilla.com/~tvyas/mixeddisplay.html.  This is an SSL page with Mixed Display content.  The pref to block mixed display content is turned off (the mixed content image loads).  When I click on Larry and go to More Information, I get "Verified By: Not Specified".

Maybe the regression range is incorrect?  Is this platform specific?  I tested on Mac OS X 10.7.

Comment 15

5 years ago
I tested on FF 17 on my Mac.

I go to https://www.nytimes.com (which has mixed content).  Verified By says Not Specified.

I go to https://boston.com (which has mixed content).  Verified By says Not Specified.

The first time any MCB code landed was in FF 18 with bug 62178.

Unless this is platform specific, it seems like the behavior has not changed.  When a user visits a mixed content page, they will not get SSL cert information.

Comment 16

5 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #14)
> I installed FF 20 and go to
> https://people.mozilla.com/~tvyas/mixeddisplay.html.  This is an SSL page
> with Mixed Display content.  The pref to block mixed display content is
> turned off (the mixed content image loads).  When I click on Larry and go to
> More Information, I get "Verified By: Not Specified".
> 
> Maybe the regression range is incorrect?  
No.
The regression window of comment#7 is correct.


> Is this platform specific? 

No.
I can reproduce the behavior of commnet#14 since Firefox3.5 on windows7.


So, I think your testcase of comment#14 is different bug.
(though root cause may be same)

Comment 17

5 years ago
Okay, then maybe I am missing something.  Alice, can you provide the exact steps to reproduce and indicate what you observe (and where in the UI you observe it) on FF 20 vs FF21+.  Make sure that the prefs for security.mixed_content.block_display_content and security.mixed_content.block_active_content are set to false, so that nothing is blocked.

Thanks for your help!

Comment 18

5 years ago
(In reply to Alice0775 White from comment #16)
> > Is this platform specific? 
> 
> No.
> I can reproduce the behavior of commnet#14 since Firefox3.5 on windows7.
> 

Perhaps this is a windows only bug?  I have a Mac and Linux machine I can test with, but not windows.

Comment 19

5 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #17)
> Okay, then maybe I am missing something.  Alice, can you provide the exact
> steps to reproduce and indicate what you observe (and where in the UI you
> observe it) on FF 20 vs FF21+.  Make sure that the prefs for
> security.mixed_content.block_display_content and
> security.mixed_content.block_active_content are set to false, so that
> nothing is blocked.
> 
> Thanks for your help!

Step to Reproduce:
1. Start Firefox with newly created clean profile,.
2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net

Actual Results:
The gray earth icon displayed in the location bar.

Expected Results;
Padlock icon should be displayed.

Comment 20

5 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #17)
> Okay, then maybe I am missing something.  Alice, can you provide the exact
> steps to reproduce and indicate what you observe (and where in the UI you
> observe it) on FF 20 vs FF21+.  Make sure that the prefs for
> security.mixed_content.block_display_content and
> security.mixed_content.block_active_content are set to false, so that
> nothing is blocked.
> 
> Thanks for your help!

Step to Reproduce:
1. Start Firefox with newly created clean profile,.
2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net

Actual Results:
The gray earth icon displayed in the location bar.
In the page info, security, 
Website Identity indicated 'Verified By: Not Specified'

Expected Results;
Padlock icon should be displayed.
In the page info, security, 
Website Identity should be indicated 'Verified By: Entrust, Inc'.


I can also reproduce the problem on ubuntu12.04 i686 build.

Updated

5 years ago
OS: Windows 7 → All

Comment 21

5 years ago
(In reply to Alice0775 White from comment #20)
> 
> Step to Reproduce:
> 1. Start Firefox with newly created clean profile,.
> 2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net
> 
> Actual Results:
> The gray earth icon displayed in the location bar.
>

This is expected behavior.  There is mixed content on the page, which means the page is not 100% encrypted and hence Firefox will not show the user the padlock.

When you set security.mixed_content.block_display_content to true, you block that mixed content from loading.  Hence the page is then 100% encrypted and you do see the padlock.


A page that is fully encrypted looks like this:
https://people.mozilla.com/~tvyas/FigureC.jpg

A page with Mixed Display Content (http images/media/etc embedded on the page) looks like this:
https://people.mozilla.com/~tvyas/FigureE.jpg

A page with Mixed Active Content (http script/objects/css/etc embedded on the page) looks like this in Firefox 23+:
https://people.mozilla.com/~tvyas/FigureD.jpg

For more information on Mixed Content, see here:
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/



> In the page info, security, 
> Website Identity indicated 'Verified By: Not Specified'
> 
It seems like Firefox will set Verified By to Not Specified on any SSL page with Mixed Content.  Camilo and Brian can decide whether or not this is expected/intended behavior.  This behavior has existed since at least FF 17 (that's the furthest back I checked).

Comment 22

5 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #21)

> > In the page info, security, 
> > Website Identity indicated 'Verified By: Not Specified'
> > 
> It seems like Firefox will set Verified By to Not Specified on any SSL page
> with Mixed Content.  Camilo and Brian can decide whether or not this is
> expected/intended behavior. 

> This behavior has existed since at least FF 17
> (that's the furthest back I checked).

No.
This problem happens since Firefox21.
PLEASE TRY STR of comment #20.

Comment 23

5 years ago
(In reply to Alice0775 White from comment #20)
> Step to Reproduce:
> 1. Start Firefox with newly created clean profile,.
> 2. Go to https://www.netaddress.com/tpl/Door/Login?Domain=usa.net
> 
> Actual Results:
> The gray earth icon displayed in the location bar.
> In the page info, security, 
> Website Identity indicated 'Verified By: Not Specified'
> 
> Expected Results;
> Padlock icon should be displayed.
> In the page info, security, 
> Website Identity should be indicated 'Verified By: Entrust, Inc'.
> 

Okay, I see what this issue is now.  If you visit a mixed content page with FF 20 and prior, you will get the following behavior in MOST cases:

> The gray earth icon displayed in the location bar.
> In the page info, security, 
> Website Identity indicated 'Verified By: Not Specified'

Some examples are: https://www.nytimes.com, https://boston.com, https://people.mozilla.com/~tvyas/mixeddisplay.html, https://people.mozilla.com/~tvyas/mixedcontent.html.  For all of these pages, you will see the gray earth icon instead padlock in the location bar.  That is intended behavior.

In Firefox 21+, we improved the Mixed Content detection code.  This means we starting catching Mixed Content cases that we did not catch before.  https://www.netaddress.com/tpl/Door/Login?Domain=usa.net is an example of such a case.  The Mixed Content favicon loaded on this page was not detected (http://www.netaddress.com/favicon.ico) in FF 20 and prior.  Hence, when you visit https://www.netaddress.com/tpl/Door/Login?Domain=usa.net in FF 20 and prior you see:

> Padlock icon should be displayed.
> In the page info, security, 
> Website Identity should be indicated 'Verified By: Entrust, Inc'.

When really you should have seen the gray earth icon.  Since we improved the Mixed Content detection, you now do see the gray globe icon instead of the padlock on FF21+ for this page.

------------

As far as the "Verified By: Not Specified", this behavior is observed on all pages that Firefox detects with Mixed Content.  Whether this is intended or not is up to Camilo and Brian.

Updated

5 years ago
No longer blocks: 822367

Comment 24

5 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #23)
> When really you should have seen the gray earth icon.  Since we improved the
> Mixed Content detection, you now do see the gray globe icon instead of the
> padlock on FF21+ for this page.

So, this was an intended change - that makes sense.

However, if I visit (using 23.0b4 - haven't tried nightly I'm afraid) https://www.nytimes.com/, I get the mixed-content doorhanger.  Visiting https://www.netaddress.com/tpl/Door/Login?Domain=usa.net , I don't get the mixed-content warning - is there a reason for that inconsistency?

Comment 25

5 years ago
Also, maybe the bug reporter or someone could get in touch with the email provider and explain to them that the insecure favicon is causing this mixed-content problem, which was an intentional change in Firefox?  Seems like it should be a simple fix (the favicon loads fine from https as well).
(Reporter)

Comment 26

5 years ago
Hi Tanvi & Michael,

I already contacted my email provider and provided them with the required info a month ago, they assured me of trying to fix it in coordination with Mozilla but I personally preferred to lodge a bug report to Mozilla directly as well. 

So, as I can make out from the comments above if I blocked the mixed content feature from about:config will the normal padlock show or... is there any way to make all mixed content pages show normally so that there is no compromise on security?

Comment 27

5 years ago
(In reply to Michael Lefevre from comment #24)
 > However, if I visit (using 23.0b4 - haven't tried nightly I'm afraid)
> https://www.nytimes.com/, I get the mixed-content doorhanger.  Visiting
> https://www.netaddress.com/tpl/Door/Login?Domain=usa.net , I don't get the
> mixed-content warning - is there a reason for that inconsistency?

Yes.  The Mixed Content Blocker will block Mixed Active Content (like scripts, objects, css, etc) but not Mixed Display Content (like images) by default.

Here is another example of an HTTPS page with mixed display content.  You can see that the padlock is replaced by the globe, but that there is no doorhanger:
https://people.mozilla.com/~tvyas/mixeddisplay.html

You can get more info on the Mixed Content Classifications here: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#Mixed_Content_Classifications

Also, if you want to block Mixed Display Content also, you can by following these steps:
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#footnote2

Comment 28

5 years ago
(In reply to Michael Lefevre from comment #25)
> Also, maybe the bug reporter or someone could get in touch with the email
> provider and explain to them that the insecure favicon is causing this
> mixed-content problem, which was an intentional change in Firefox?  Seems
> like it should be a simple fix (the favicon loads fine from https as well).

We have been filing bugs for some pages that we find that have Mixed Active Content (tracking bug 844556).  Mixed Display Content is unfortunately all over the web.

Comment 29

5 years ago
(In reply to crackme_hackyou from comment #26)
> So, as I can make out from the comments above if I blocked the mixed content
> feature from about:config will the normal padlock show or... is there any
> way to make all mixed content pages show normally so that there is no
> compromise on security?

Starting in Firefox 23, Mixed Active Content will be blocked by default.  In order to also block Mixed Passive/Display Content, follow these steps:
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#footnote2

Blocking both will ensure that the connection is fully encrypted and will show you the padlock.

The Mixed Content Blocker has been so far designed to block active content.  If you also block display, you will encounter the following situations:
* If you are on a page with just Mixed Active Content, you will see the shield icon and the padlock.  You can click the shield to disable protection.  ex: https://people.mozilla.com/~tvyas/mixedcontent.html
* If you are on a page with just Mixed Display Content, you will see the padlock (since you have blocked the display content) but you will not see the Mixed Content Blocker Shield.  If you decide you want to view the image, you have to go to about:config and change the setting, reload the page, and then change the setting back.  There is also an addon that makes this easier for you. ex: https://people.mozilla.com/~tvyas/mixeddisplay.html
* if you are on a page with both Mixed Active and Mixed Display Content, all the mixed content will be blocked (since you have enabled both prefs) and you will see the Shield and the padlock.  If you disable protection, all mixed content will load.  ex: https://people.mozilla.com/~tvyas/mixedboth.html
You need to log in before you can comment on or make changes to this bug.