Closed Bug 944695 Opened 11 years ago Closed 11 years ago

Wildcard SSL certificates showing as warning triangle in address bar instead of padlock

Categories

(Firefox :: Security, defect)

x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 947079

People

(Reporter: philipw, Unassigned, NeedInfo)

Details

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36 Steps to reproduce: Using nightly FF build. Opened up our website (gface.com) but see a warning triangle in the address bar instead of the usual padlock which we see when using release FF We are using a *.gface.com SSL certificate issued from DigiCert Actual results: Website still loads but the warning triangle misleads the user. Also 'more information' on the warning triangle say that the 'owner' and 'verified by' are both unknown Expected results: Website still loads with the padlock icon in the address bar. Also 'more information' should say that the 'owner' is unknown (because of the way FF handles wildcard certs) but 'verified by' should read DigiCert
I can't reproduce this, and see the lock icon as expected. Have you tried this with a new profile? And can you provide an exact link in case it has to do with a resource loaded from a subpage?
Flags: needinfo?(philipw)
Attached image FF_Bug1.jpg
Flags: needinfo?(philipw)
Attached image FF_Bug2.jpg
Attached image FF_Bug3.jpg
URL used was https://gface.com The new FF28 says, owner is unknown AND the verifier is not specified. FF_Bug1.jpg It does not reject, but flags the site with a "warning" symbol. FF_Bug2.jpg Whereas the current FF25 cannot resolve the owner only. FF_Bug3.jpg We verified this on Windows, Mac and Linux. Will ask the guys to check again with a new profile
WFM with FF25 or FF28, I have the gray padlock.
Component: Untriaged → Security
The warning triangle means that there is some mixed passive content on the site. But I have a gray padlock, too.
I saw that on other websites too. I've checked HTML output and network requests and there are only two places where http is used: - Facebook OpenGraph reference: <html lang="en-us" prefix="og: http://ogp.me/ns#"> - External link to blog: <a href="http://blog.gface.com/" data-i18n="Blog" target="_blank">Blog</a> Is it still considered as mixed/passive content? For me it doesn't look like that.
(In reply to Michael Leibenson from comment #8) > I saw that on other websites too. I've checked HTML output and network > requests and there are only two places where http is used: > > - Facebook OpenGraph reference: <html lang="en-us" prefix="og: > http://ogp.me/ns#"> > - External link to blog: <a href="http://blog.gface.com/" data-i18n="Blog" > target="_blank">Blog</a> > > Is it still considered as mixed/passive content? For me it doesn't look like > that. No, it isn't. However, please check if you can reproduce on a clean new Firefox profile ( https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles ). Several people here have reported they can't reproduce the issue. We need to figure out what's causing the difference. It's possible your profiles have different certs configured to the ones we use, for instance.
Seems to work with fresh installation on another machine.
If you rename cert8.db into cert8.db.old on an affected profile and you restart Firefox, does it work?
I was unable to reproduce this issue on Windows 7 x64 using: - Firefox 25.0.1 (BuildID: 20131112160018): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 - Firefox 26.0b10 (BuildID: 20131202182626): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 - latest Aurora (BuildID: 20131204004002): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 - latest Nightly (BuildID: 20131204030203): Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/28.0 The orange warning triangle you noticed in the location bar indicates that the page contains mixed content served over HTTPS and that - at one point - you allowed that content to be displayed, when you were warned by the browser. - See: https://support.mozilla.org/ro/kb/how-do-i-tell-if-my-connection-is-secure#w_orange-warning-triangle Is this issue still reproducible on your end?
Flags: needinfo?(philipw)
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: