firefox doesn't realise that it is actually using https

NEW
Unassigned

Status

()

Firefox
Security
4 years ago
4 years ago

People

(Reporter: Christoph Anton Mitterer, Unassigned)

Tracking

23 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [dupeme])

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 (Beta/Release)
Build ID: 20130811093823

Steps to reproduce:

And once again, a potentially even security related issue, in how you guys handle SSL/TLS.

I have a server setup, that provides (via Apache) https on two different ports with two different certs.
Kinda complex and advanced stuff with redirections and reverse-proxying.

https://a.keyserver.pki.scientia.net/
vs.
https://a.keyserver.pki.scientia.net:8443/
Both with different certs, from different CAs....

When I open either of these with FF,... it shows me the https:// in the address and it is definitely using SSL/TLS, since the Apache is configured to only speak https on that port...
but in the icon left of the https in the address bar, respectively in the page info... it claims there was no SSL/TLS, no identity providing, and it doesn't give me the option to view the cert.

Interestingly, when using something deeper down in the URI space, e.g.
https://a.keyserver.pki.scientia.net/robots.txt
vs.
https://a.keyserver.pki.scientia.net:8443/robots.txt
it works again...WTF o.O

Something's really fishy in all your security could... I wouldn't even be surprised if FF speaks HTTPs but e.g. completely ignores any cert validation/CRLs or whatsoever in the above case.


Guys - and sorry for that harsh words, but I guess it's simply necessary to at least have a small chance in waking someone at Mozilla up to see that you're one a very wrong path - you seem to have some very deep and awkward problems with respect to security - both, technical and how you seem to understand security.
When I look at some bugs of mine or others, like #906069 or #826666 or looking at facts that you still ridiculously accept unsafe TLS re-negotiation per default - and not even warning users... all that just gives me the creeps.

That combined with the fact that over the last years you guys removed basically all visualisations for users, whether a connection is secure or not (first the address bars where green, then only some very bright green one could easily over see, then that was completely removed and only some small part in the address bar got green,... nowadays only EV certs have a (barely visible) green font)... makes me really wonder whether all this is just by accident of you destroying the browser and making a toy out of it... or whether you got some National Security Letter that forces you to subtly take away security from users, step by step.

Sigh...
(Reporter)

Comment 1

4 years ago
Oh... and just a side note: Chromium (for example) seems to be safe from the issue... o.O
OS: Linux → All
Hardware: x86_64 → All
(Reporter)

Updated

4 years ago
Severity: normal → major

Comment 2

4 years ago
Firefox isn't displaying the padlock because there's insecure content on the page, it only displays the icon when every resource is loaded over HTTPS.

If you click on the icon it mentions this fact.
(Reporter)

Comment 3

4 years ago
Well I know that this is related to #906069 ... the main problem here is how things are visualised.

The URL still says https, and since FF gives no really visible information (e.g. green address bar) when things are secure (since even the barely noticeable green font happens only with EV certs), people have a good right to expect that when "https" is listed, things are secure.

The padlock icon is just useless... one doesn't really notice it at all, especially when one accidentally moves away from encrypted pages.... and even apart from that... the concepts are plain stupid:

e.g. if traffic lights would be like the padlock solution, then traffic lights would only show green or nothing... i.e. no red light
And I highly doubt that this would make streets a safer place ... o.O


Moreover, all my comments about what apparently goes wrong with security at Mozilla, still fully apply as well.
Component: Untriaged → Security
Reproe'd bug.

On Chrome, I see the "The site's security certificate is not trusted!" error and a red slash in the https part of the URL.

On FF Nightly I get the "This Connection is Untrusted" error, however the URL bar looks just like the normal HTTP one, even when I add a security exception.

IMO, when a cert isn't validated, it's just as insecure as no cert at all.

*However*, sometimes users need to add security exceptions for various reasons. FF should probably display a different icon with text that indicates that the page is using an unsigned or badly signed cert that is in our security exception list.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: major → normal
All mentioned Issues are known and reports on those filed already. Thus the dupme request.

FWIW, adding non-technical/nonsense speculation blabla to reports doesn't help.
Whiteboard: [dupeme]
You need to log in before you can comment on or make changes to this bug.