Closed
Bug 944695
Opened 11 years ago
Closed 11 years ago
Wildcard SSL certificates showing as warning triangle in address bar instead of padlock
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 947079
People
(Reporter: philipw, Unassigned, NeedInfo)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36
Steps to reproduce:
Using nightly FF build.
Opened up our website (gface.com) but see a warning triangle in the address bar instead of the usual padlock which we see when using release FF
We are using a *.gface.com SSL certificate issued from DigiCert
Actual results:
Website still loads but the warning triangle misleads the user.
Also 'more information' on the warning triangle say that the 'owner' and 'verified by' are both unknown
Expected results:
Website still loads with the padlock icon in the address bar.
Also 'more information' should say that the 'owner' is unknown (because of the way FF handles wildcard certs) but 'verified by' should read DigiCert
Comment 1•11 years ago
|
||
I can't reproduce this, and see the lock icon as expected. Have you tried this with a new profile? And can you provide an exact link in case it has to do with a resource loaded from a subpage?
Flags: needinfo?(philipw)
Reporter | ||
Comment 2•11 years ago
|
||
Flags: needinfo?(philipw)
Reporter | ||
Comment 3•11 years ago
|
||
Reporter | ||
Comment 4•11 years ago
|
||
Reporter | ||
Comment 5•11 years ago
|
||
URL used was https://gface.com
The new FF28 says, owner is unknown AND the verifier is not specified.
FF_Bug1.jpg
It does not reject, but flags the site with a "warning" symbol.
FF_Bug2.jpg
Whereas the current FF25 cannot resolve the owner only.
FF_Bug3.jpg
We verified this on Windows, Mac and Linux.
Will ask the guys to check again with a new profile
WFM with FF25 or FF28, I have the gray padlock.
Component: Untriaged → Security
The warning triangle means that there is some mixed passive content on the site.
But I have a gray padlock, too.
Comment 8•11 years ago
|
||
I saw that on other websites too. I've checked HTML output and network requests and there are only two places where http is used:
- Facebook OpenGraph reference: <html lang="en-us" prefix="og: http://ogp.me/ns#">
- External link to blog: <a href="http://blog.gface.com/" data-i18n="Blog" target="_blank">Blog</a>
Is it still considered as mixed/passive content? For me it doesn't look like that.
Comment 9•11 years ago
|
||
(In reply to Michael Leibenson from comment #8)
> I saw that on other websites too. I've checked HTML output and network
> requests and there are only two places where http is used:
>
> - Facebook OpenGraph reference: <html lang="en-us" prefix="og:
> http://ogp.me/ns#">
> - External link to blog: <a href="http://blog.gface.com/" data-i18n="Blog"
> target="_blank">Blog</a>
>
> Is it still considered as mixed/passive content? For me it doesn't look like
> that.
No, it isn't. However, please check if you can reproduce on a clean new Firefox profile ( https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles ). Several people here have reported they can't reproduce the issue. We need to figure out what's causing the difference. It's possible your profiles have different certs configured to the ones we use, for instance.
Comment 10•11 years ago
|
||
Seems to work with fresh installation on another machine.
Comment 11•11 years ago
|
||
If you rename cert8.db into cert8.db.old on an affected profile and you restart Firefox, does it work?
Comment 12•11 years ago
|
||
I was unable to reproduce this issue on Windows 7 x64 using:
- Firefox 25.0.1 (BuildID: 20131112160018): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
- Firefox 26.0b10 (BuildID: 20131202182626): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
- latest Aurora (BuildID: 20131204004002): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
- latest Nightly (BuildID: 20131204030203): Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:28.0) Gecko/20100101 Firefox/28.0
The orange warning triangle you noticed in the location bar indicates that the page contains mixed content served over HTTPS and that - at one point - you allowed that content to be displayed, when you were warned by the browser.
- See: https://support.mozilla.org/ro/kb/how-do-i-tell-if-my-connection-is-secure#w_orange-warning-triangle
Is this issue still reproducible on your end?
Flags: needinfo?(philipw)
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•