From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.3) Gecko/20010801 BuildID: 2001080104 When I follow the links to the secure login pages (which targets tend to keep moving, so I included the referring pages instead) of either of the two banks, the padlock in the bottom right corner closes and goes yellow. Hovering over the padlock shows the name of the bank. Fine. As I am paranoid about men-in-the-middle impersonating as my bank, I click the padlock before entering data. A "page info" with "security" tab selected pops up saying: "The web site[...]supports authentication[...]The identity of this web site has been verified by (Unknown Issuer)[sic!], a certificate authority you trust[sic!] for this purpose." (The text "(Unknown Issuer)" appears literally.) If I view the certificate all three fields under "Issued By" show "<Unknown Issuer>". (Literally again, with angle brackets now.) Reproducible: Always Steps to Reproduce: 1.Visit www.egg.com [alternatively try www.smile.co.uk] 2.Follow link named "Service your accounts" (confirming any security warning) [or, on Smile's page, follow "account login"] 3.On the secure page click the browser's small padlock. Read text under "Web Site Identity Verified" on the "Page Info" window. 4.Click the "View" button on the "Page Info" window. Read "Issued By" section. Actual Results: The Issuer shows as (Unknown Issuer) or <Unknown Issuer>. Apparently security policy is to trust unknown issuers. Expected Results: The actual name, etc. of the issuer should be shown. If an issuer is really unknown (and not just displayed as such), it should not be trusted. Dependend on why the Issuer is shown as unknown, this may be one bug or two. If it's just the display, it might be connected with bug #83530. Otherwise, trusting an actually unknown issuer (even if only by default) would be a second bug.
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
Version: other → unspecified
If this is true, it's pretty bad.
Marking as a dup of bug 93103 which is being worked on. *** This bug has been marked as a duplicate of 93103 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
So, you are saying the certificates of my two banks are trusted because in each case the issuer, although itself not stored as trusted, has a chain to a trusted CA? (And that the real bug lies in how this fact is presented to the user?) Hopefully then, certificates without such a chain will not be trusted. Has that been tested to make sure this is *only* a duplicate? (Sorry, but I don't know the internals of Mozilla to test this myself. I am just a user trying to contribute from outside.)
We are confident about two issues: - That if a server sends his cert together with the signer chain (less the Root) and that the root is in Mozilla, then the behavior is that the validation occurs and that the chain is then discarded. - That if the chain is broken at the time we do validate, then you get a warning.
Ok, I understand now why this is an alias. (Although I still don't for the second part of "sibling" bug 93427 if its OP actually removed the root certificate. But that discusson belongs there.) Can you (or anybody with that privilege) please copy the 4xp keyword to now "parent" bug 93103? It breaks things that used to work under, for example, Communicator 4.77. (Seems keyword ecommerce is only for evangelism bugs, so it needs no copying.)
Assigning target of 2.1 to all bugs fixed in the 2.1 target timeframe whose target was not 2.1
Target Milestone: --- → 2.1
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.