Certificates show as having "Unknown Issuer", but are trusted anyway

VERIFIED DUPLICATE of bug 93103

Status

Core Graveyard
Security: UI
VERIFIED DUPLICATE of bug 93103
17 years ago
2 years ago

People

(Reporter: Marco Franzen, Assigned: Stephane Saux)

Tracking

({ecommerce})

Other Branch
psm2.1
x86
Linux
ecommerce

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.3) Gecko/20010801
BuildID:    2001080104

When I follow the links to the secure login pages (which targets tend to keep
moving, so I included the referring pages instead) of either of the two banks,
the padlock in the bottom right corner closes and goes yellow. Hovering over the
padlock shows the name of the bank. Fine.
As I am paranoid about men-in-the-middle impersonating as my bank, I click the
padlock before entering data. A "page info" with "security" tab selected pops up
saying:
"The web site[...]supports authentication[...]The identity of this web site has
been verified by (Unknown Issuer)[sic!], a certificate authority you trust[sic!]
for this purpose." (The text "(Unknown Issuer)" appears literally.)
If I view the certificate all three fields under "Issued By" show "<Unknown
Issuer>". (Literally again, with angle brackets now.)

Reproducible: Always
Steps to Reproduce:
1.Visit www.egg.com [alternatively try www.smile.co.uk]
2.Follow link named "Service your accounts" (confirming any security warning)
[or, on Smile's page, follow "account login"]
3.On the secure page click the browser's small padlock. Read text under "Web
Site Identity Verified" on the "Page Info" window.
4.Click the "View" button on the "Page Info" window. Read "Issued By" section.

Actual Results:  The Issuer shows as (Unknown Issuer) or <Unknown Issuer>.
Apparently security policy is to trust unknown issuers.

Expected Results:  The actual name, etc. of the issuer should be shown.
If an issuer is really unknown (and not just displayed as such), it should not
be trusted.

Dependend on why the Issuer is shown as unknown, this may be one bug or two. If
it's just the display, it might be connected with bug #83530. Otherwise,
trusting an actually unknown issuer (even if only by default) would be a second bug.
(Reporter)

Updated

17 years ago
Keywords: 4xp, ecommerce
-> PSM
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
Version: other → unspecified
If this is true, it's pretty bad.
(Assignee)

Comment 3

17 years ago
Marking as a dup of bug 93103 which is being worked on.


*** This bug has been marked as a duplicate of 93103 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
(Reporter)

Comment 4

17 years ago
So, you are saying the certificates of my two banks are trusted because in each
case the issuer, although itself not stored as trusted, has a chain to a trusted
CA? (And that the real bug lies in how this fact is presented to the user?)

Hopefully then, certificates without such a chain will not be trusted. Has that
been tested to make sure this is *only* a duplicate?

(Sorry, but I don't know the internals of Mozilla to test this myself. I am just
a user trying to contribute from outside.)
(Assignee)

Comment 5

17 years ago
We are confident about two issues:
- That if a server sends his cert together with the signer chain (less the Root)
and that the root is in Mozilla, then the behavior is that the validation occurs
and that the chain is then discarded.
- That if the chain is broken at the time we do validate, then you get a
warning.
(Reporter)

Comment 6

17 years ago
Ok, I understand now why this is an alias. (Although I still don't for the
second part of "sibling" bug 93427 if its OP actually removed the root
certificate. But that discusson belongs there.)

Can you (or anybody with that privilege) please copy the 4xp keyword to now
"parent" bug 93103? It breaks things that used to work under, for example,
Communicator 4.77.

(Seems keyword ecommerce is only for evangelism bugs, so it needs no copying.)
(Assignee)

Comment 7

17 years ago
Assigning target of 2.1 to all bugs fixed in the 2.1 target timeframe whose
target was not 2.1
Target Milestone: --- → 2.1

Comment 8

17 years ago
Verified dupe.
Status: RESOLVED → VERIFIED

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.