Closed Bug 944695 Opened 11 years ago Closed 10 years ago

Wildcard SSL certificates showing as warning triangle in address bar instead of padlock

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 947079

People

(Reporter: philipw, Unassigned, NeedInfo)

Details

Attachments

(3 files)

FF_Bug1.jpg
21.01 KB, image/jpeg
Details
FF_Bug2.jpg
5.76 KB, image/jpeg
Details
FF_Bug3.jpg
23.57 KB, image/jpeg
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36

Steps to reproduce:

Using nightly FF build.
Opened up our website (gface.com) but see a warning triangle in the address bar instead of the usual padlock which we see when using release FF
We are using a *.gface.com SSL certificate issued from DigiCert



Actual results:

Website still loads but the warning triangle misleads the user.
Also 'more information' on the warning triangle say that the 'owner' and 'verified by' are both unknown


Expected results:

Website still loads with the padlock icon in the address bar.
Also 'more information' should say that the 'owner' is unknown (because of the way FF handles wildcard certs) but 'verified by' should read DigiCert
I can't reproduce this, and see the lock icon as expected. Have you tried this with a new profile? And can you provide an exact link in case it has to do with a resource loaded from a subpage?
Flags: needinfo?(philipw)
Attached image FF_Bug1.jpg 
Flags: needinfo?(philipw)

    
    

    
  

      
      
      
      

        Attached image
          
        FF_Bug2.jpg
      

    


  

    
    

    
  

      
      
      
      

        Attached image
          
        FF_Bug3.jpg
      

    


  

    
    

    
  
URL used was https://gface.com

The new FF28 says, owner is unknown AND the verifier is not specified.
FF_Bug1.jpg

It does not reject, but flags the site with a "warning" symbol.
FF_Bug2.jpg

Whereas the current FF25 cannot resolve the owner only.
FF_Bug3.jpg

We verified this on Windows, Mac and Linux.
Will ask the guys to check again with a new profile

    
    

    
  
WFM with FF25 or FF28, I have the gray padlock.
Component: Untriaged → Security

    
    

    
  
The warning triangle means that there is some mixed passive content on the site.
But I have a gray padlock, too.

    
    

    
  
I saw that on other websites too. I've checked HTML output and network requests and there are only two places where http is used:

- Facebook OpenGraph reference: <html lang="en-us" prefix="og: http://ogp.me/ns#">
- External link to blog: <a href="http://blog.gface.com/" data-i18n="Blog" target="_blank">Blog</a>

Is it still considered as mixed/passive content? For me it doesn't look like that.

    
    

    
  
(In reply to Michael Leibenson from comment #8)
> I saw that on other websites too. I've checked HTML output and network
> requests and there are only two places where http is used:
> 
> - Facebook OpenGraph reference: <html lang="en-us" prefix="og:
> http://ogp.me/ns#">
> - External link to blog: <a href="http://blog.gface.com/" data-i18n="Blog"
> target="_blank">Blog</a>
> 
> Is it still considered as mixed/passive content? For me it doesn't look like
> that.

No, it isn't. However, please check if you can reproduce on a clean new Firefox profile ( https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles ). Several people here have reported they can't reproduce the issue. We need to figure out what's causing the difference. It's possible your profiles have different certs configured to the ones we use, for instance.

    
    

    
  
Seems to work with fresh installation on another machine.

    
    

    
  
If you rename cert8.db into cert8.db.old on an affected profile and you restart Firefox, does it work?

    
    

    
  
I was unable to reproduce this issue on Windows 7 x64 using:
- Firefox 25.0.1 (BuildID: 20131112160018): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
- Firefox 26.0b10 (BuildID: 20131202182626): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
- latest Aurora (BuildID: 20131204004002): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
- latest Nightly (BuildID: 20131204030203): Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/28.0

The orange warning triangle you noticed in the location bar indicates that the page contains mixed content served over HTTPS and that - at one point - you allowed that content to be displayed, when you were warned by the browser.
- See: https://support.mozilla.org/ro/kb/how-do-i-tell-if-my-connection-is-secure#w_orange-warning-triangle

Is this issue still reproducible on your end?
Flags: needinfo?(philipw)
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: