93833 - Certificates show as having "Unknown Issuer", but are trusted anyway

Status: VERIFIED DUPLICATE of bug 93103

(Core Graveyard :: Security: UI, defect)

Description

[Marco Franzen]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.3) Gecko/20010801
BuildID:    2001080104

When I follow the links to the secure login pages (which targets tend to keep
moving, so I included the referring pages instead) of either of the two banks,
the padlock in the bottom right corner closes and goes yellow. Hovering over the
padlock shows the name of the bank. Fine.
As I am paranoid about men-in-the-middle impersonating as my bank, I click the
padlock before entering data. A "page info" with "security" tab selected pops up
saying:
"The web site[...]supports authentication[...]The identity of this web site has
been verified by (Unknown Issuer)[sic!], a certificate authority you trust[sic!]
for this purpose." (The text "(Unknown Issuer)" appears literally.)
If I view the certificate all three fields under "Issued By" show "<Unknown
Issuer>". (Literally again, with angle brackets now.)

Reproducible: Always
Steps to Reproduce:
1.Visit www.egg.com [alternatively try www.smile.co.uk]
2.Follow link named "Service your accounts" (confirming any security warning)
[or, on Smile's page, follow "account login"]
3.On the secure page click the browser's small padlock. Read text under "Web
Site Identity Verified" on the "Page Info" window.
4.Click the "View" button on the "Page Info" window. Read "Issued By" section.

Actual Results:  The Issuer shows as (Unknown Issuer) or <Unknown Issuer>.
Apparently security policy is to trust unknown issuers.

Expected Results:  The actual name, etc. of the issuer should be shown.
If an issuer is really unknown (and not just displayed as such), it should not
be trusted.

Dependend on why the Issuer is shown as unknown, this may be one bug or two. If
it's just the display, it might be connected with bug #83530. Otherwise,
trusting an actually unknown issuer (even if only by default) would be a second bug.

Comment 1

[Matthias Versen [:Matti]]

-> PSM

Comment 2

[Mitchell Stoltz (not reading bugmail)]

If this is true, it's pretty bad.

Comment 3

[Stephane Saux]

Marking as a dup of bug 93103 which is being worked on.


*** This bug has been marked as a duplicate of 93103 ***

Comment 4

[Marco Franzen]

So, you are saying the certificates of my two banks are trusted because in each
case the issuer, although itself not stored as trusted, has a chain to a trusted
CA? (And that the real bug lies in how this fact is presented to the user?)

Hopefully then, certificates without such a chain will not be trusted. Has that
been tested to make sure this is *only* a duplicate?

(Sorry, but I don't know the internals of Mozilla to test this myself. I am just
a user trying to contribute from outside.)

Comment 5

[Stephane Saux]

We are confident about two issues:
- That if a server sends his cert together with the signer chain (less the Root)
and that the root is in Mozilla, then the behavior is that the validation occurs
and that the chain is then discarded.
- That if the chain is broken at the time we do validate, then you get a
warning.

Comment 6

[Marco Franzen]

Ok, I understand now why this is an alias. (Although I still don't for the
second part of "sibling" bug 93427 if its OP actually removed the root
certificate. But that discusson belongs there.)

Can you (or anybody with that privilege) please copy the 4xp keyword to now
"parent" bug 93103? It breaks things that used to work under, for example,
Communicator 4.77.

(Seems keyword ecommerce is only for evangelism bugs, so it needs no copying.)

Comment 7

[Stephane Saux]

Assigning target of 2.1 to all bugs fixed in the 2.1 target timeframe whose
target was not 2.1

Comment 8

[John Unruh]

Verified dupe.