Closed Bug 926102 Opened 6 years ago Closed 6 years ago

Firefox for Android offers cert error overrides for HSTS sites, even though the override will never be honored

Categories

(Firefox for Android :: General, defect)

ARM
Android
defect
Not set

Tracking

()

RESOLVED FIXED
Firefox 27

People

(Reporter: arky, Assigned: mfinkle)

Details

Attachments

(2 files)

Captive Wifi portals often use bad SSL certificates. Clicking 'Add Permanent Exception' in "This Connection is Untrusted" has no effect and returns to the same page. 

Here is logcat from J'burg airport. 

I/GeckoToolbar( 8629): zerdatime 3099458 - Throbber start
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
I/GeckoToolbar( 8629): zerdatime 3099659 - Throbber stop
I/GeckoToolbar( 8629): zerdatime 3100008 - Throbber stop
D/GeckoFavicons( 8629): Requesting cancelation of favicon load (2)
D/GeckoFavicons( 8629): Cancelling favicon load (2)
D/GeckoHealthRec( 8629): Recording session end: P
V/GeckoHealthRec( 8629): Recorded session entry for env 121, current is 121
D/GeckoSessInfo( 8629): Recording session done: 1381611277152
I/GeckoHealth( 8629): fennec :: HealthReportBroadcastService :: Registering HealthReportPruneService.
I/GeckoHealth( 8629): fennec :: BackgroundService :: Setting inexact repeating alarm for interval 86400000
D/GeckoSessInfo( 8629): Recording start of session: 1381611304691
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://browser/content/exceptions.js :: SSLE_checkCert :: line 57"  data: no]" {file: "chrome://browser/content/exceptions.js" line: 65}]
I/GeckoToolbar( 8629): zerdatime 3124060 - Throbber start
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
I/GeckoToolbar( 8629): zerdatime 3124302 - Throbber stop
I/GeckoToolbar( 8629): zerdatime 3124349 - Throbber stop
I/Gecko   ( 8629): JSDOMParser error: expected '</script>'
I/Gecko   ( 8629): JSDOMParser error: expected '</head>'
I/Gecko   ( 8629): JSDOMParser error: expected '</html>'
E/GeckoConsole( 8629): [JavaScript Error: "elem is undefined" {file: "chrome://browser/content/Readability.js" line: 250}]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://browser/content/exceptions.js :: SSLE_checkCert :: line 57"  data: no]" {file: "chrome://browser/content/exceptions.js" line: 65}]
I/GeckoToolbar( 8629): zerdatime 3129627 - Throbber start
Captive Wifi portals often use bad SSL certificates. Clicking 'Add Permanent Exception' in "This Connection is Untrusted" has no effect and returns to the same page. 

Here is logcat from J'burg airport. 

I/GeckoToolbar( 8629): zerdatime 3099458 - Throbber start
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
I/GeckoToolbar( 8629): zerdatime 3099659 - Throbber stop
I/GeckoToolbar( 8629): zerdatime 3100008 - Throbber stop
D/GeckoFavicons( 8629): Requesting cancelation of favicon load (2)
D/GeckoFavicons( 8629): Cancelling favicon load (2)
D/GeckoHealthRec( 8629): Recording session end: P
V/GeckoHealthRec( 8629): Recorded session entry for env 121, current is 121
D/GeckoSessInfo( 8629): Recording session done: 1381611277152
I/GeckoHealth( 8629): fennec :: HealthReportBroadcastService :: Registering HealthReportPruneService.
I/GeckoHealth( 8629): fennec :: BackgroundService :: Setting inexact repeating alarm for interval 86400000
D/GeckoSessInfo( 8629): Recording start of session: 1381611304691
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://browser/content/exceptions.js :: SSLE_checkCert :: line 57"  data: no]" {file: "chrome://browser/content/exceptions.js" line: 65}]
I/GeckoToolbar( 8629): zerdatime 3124060 - Throbber start
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
I/GeckoToolbar( 8629): zerdatime 3124302 - Throbber stop
I/GeckoToolbar( 8629): zerdatime 3124349 - Throbber stop
I/Gecko   ( 8629): JSDOMParser error: expected '</script>'
I/Gecko   ( 8629): JSDOMParser error: expected '</head>'
I/Gecko   ( 8629): JSDOMParser error: expected '</html>'
E/GeckoConsole( 8629): [JavaScript Error: "elem is undefined" {file: "chrome://browser/content/Readability.js" line: 250}]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "mail.mozilla.com:443 uses an invalid security certificate.
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): The certificate is only valid for the following names:
E/GeckoConsole( 8629):   gateway.alwayson.co.za , www.gateway.alwayson.co.za  
E/GeckoConsole( 8629): 
E/GeckoConsole( 8629): (Error code: ssl_error_bad_cert_domain)
E/GeckoConsole( 8629): "]
E/GeckoConsole( 8629): [JavaScript Error: "Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://browser/content/exceptions.js :: SSLE_checkCert :: line 57"  data: no]" {file: "chrome://browser/content/exceptions.js" line: 65}]
I/GeckoToolbar( 8629): zerdatime 3129627 - Throbber start
That seems like an expected exception that is thrown when there is a problem with a certificate presented by the site.
https://mail.mozilla.com sends:
strict-transport-security: max-age=8640000

This disables the ability for the user to add cert error overrides, because that is one of the intended effects of strict-transport-security. The Firefox for Android code needs to check that the site isn't HSTS before offering any cert error overrides, like the desktop browser does.

Also, there is a bug on file against the desktop browser that the desktop browser doesn't explain why it doesn't allow a cert error override for HSTS sites.

The real solution for this type of use case is to implement captive portal detection. It isn't safe for users to add cert error exceptions for captive portals and we're teaching them to do the wrong thing.
Sounds like nothing actionable in this bug
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Thanks for explaining this to me. Now I have to resort to using  Android native browser or Chrome to login to these WiFi portals. We need a real solution like captive portal detection. Do I file a bug for that?
(In reply to arky [:arky] from comment #4)
> Thanks for explaining this to me. Now I have to resort to using  Android
> native browser or Chrome to login to these WiFi portals. We need a real
> solution like captive portal detection. Do I file a bug for that?

That's already bug 562917.

I reopened this bug since Firefox for Android needs to be fixed to be consistent with the desktop products, by disabling the cert error override stuff when the site is HSTS.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Summary: Add Permanent Exception has no effect → Firefox for Android should offers cert error overrides for HSTS sites, even though the override will never be honored
Summary: Firefox for Android should offers cert error overrides for HSTS sites, even though the override will never be honored → Firefox for Android offers cert error overrides for HSTS sites, even though the override will never be honored
Do we have any pointers to desktop code where we hide the cert override stuff?
(In reply to Brian Smith (:briansmith, was :bsmith@mozilla.com) from comment #7)
> https://mxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.
> cpp?rev=0e2144372236#4267
> 
> It would be great if Desktop and Android (and B2G) could share the logic.

That part we already share. It's this part we need to add:
http://mxr.mozilla.org/mozilla-central/source/browser/components/certerror/content/aboutCertError.xhtml#88
FYI, the (window != top) check is done to prevent cert error overrides in iframes for clickjacking.
This patch hides the "expertContent" section like desktop currently does.

Not tested. How can I try to test this against a live website? Do we have a test site?
Assignee: nobody → mark.finkle
Attachment #817367 - Flags: review?(margaret.leibovic)
Comment on attachment 817367 [details] [diff] [review]
Fix the about:cert page

Review of attachment 817367 [details] [diff] [review]:
-----------------------------------------------------------------

Given the desktop changeset you linked to, this looks good to me. If only we didn't have forked versions! ;)
Attachment #817367 - Flags: review?(margaret.leibovic) → review+
https://hg.mozilla.org/mozilla-central/rev/88a17d595844
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 27
You need to log in before you can comment on or make changes to this bug.