Site blocked in IE & Edge not Nightly ?

Discussion about official Mozilla Firefox builds
Post Reply
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

This site https://freshproducegroup.us/product/yu ... 16fd43adaa is allowed in Nightly but in IE11 & Edge its blocked due to a cert issue.
"This website’s security certificate has been revoked, so you can’t go there at this time."

Tried a fresh profile and site is still allowed in Latest Nightly build. Anyone else seeing this ?

As reported here: http://forums.mozillazine.org/viewtopic ... &t=3030710 it appears that Firefox 53 is blocking the site.
Lurtz
Posts: 359
Joined: June 12th, 2016, 12:25 pm

Re: Site blocked in IE & Edge not Nightly ?

Post by Lurtz »

Maybe a problem with the validation date of the certificates? Is this blocked in Firefox 53.0.03? There was a change concerning certificates in 53.0.3: Bump preloaded security information expiration times (bug 1359697).
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

Lurtz wrote:Maybe a problem with the validation date of the certificates? Is this blocked in Firefox 53.0.03? There was a change concerning certificates in 53.0.3: Bump preloaded security information expiration times (bug 1359697).

Went back to May 5th build and the site mentioned still loads up OK without blocking on a supposedly 'revoked' cert. Someone with more knowledge how to check/read certs needs to chime in here I think.

EDIT: Ooops got a bad test, the May 5th is blocking the site above after I forced a reload. I'm beginning to think that bug is letting stuff through that perhaps it should not.

EDIT: Not blocking on builds after May 12. Patch landed on May 11. hmmmmm
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

Mozregressioin tool got to this point and failed due to Mozilla changing around file directory's it seems:

2017-05-29T08:25:26: INFO : Narrowed inbound regression window from [f7adbf45, c2ff59dd] (4 revisions) to [55e5723b, c2ff59dd] (2 revisions) (~1 steps left)
2017-05-29T08:25:26: DEBUG : Starting merge handling...
2017-05-29T08:25:26: DEBUG : Using url: https://hg.mozilla.org/mozilla-central/ ... 88d&full=1
2017-05-29T08:25:28: DEBUG : Found commit message:
servo: Merge #17039 - Update openssl source download location (from servo:jdm-patch-1); r=nox

The openssl.org webpage has been reorganized and the old URL no longer works.

Source-Repo: https://github.com/servo/servo
Source-Revision: 83f82cb4d380f2bdd02f388702d6162af9a3c9bc

2017-05-29T08:25:28: INFO : The bisection is done.
2017-05-29T08:25:28: INFO : Stopped

Looks like some change is allowing 'expired certs' to still function.
Soothsayer
Posts: 252
Joined: June 23rd, 2004, 8:24 am

Re: Site blocked in IE & Edge not Nightly ?

Post by Soothsayer »

The site is blocked for me and I see a revoked certificate error (SEC_ERROR_REVOKED_CERTIFICATE). I am using a 64bit Windows nightly from 19th May.

Could you have added the certificate (or the revoked one in the chain - rntoptions.com) to your trusted store at some point?

Alternatively, double check your security settings to make sure that the "Query OSCP responders servers ..." option is selected.
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

Soothsayer wrote:The site is blocked for me and I see a revoked certificate error (SEC_ERROR_REVOKED_CERTIFICATE). I am using a 64bit Windows nightly from 19th May.

Could you have added the certificate (or the revoked one in the chain - rntoptions.com) to your trusted store at some point?

Alternatively, double check your security settings to make sure that the "Query OSCP responders servers ..." option is selected.

I never accept any certs outside what comes with the builds. I already checked OSCP and the option is 'checked'.

Near as I can tell so far it quit blocking on 'revoked cert' sometime after May 25.
Soothsayer
Posts: 252
Joined: June 23rd, 2004, 8:24 am

Re: Site blocked in IE & Edge not Nightly ?

Post by Soothsayer »

I just updated to the latest nightly and can now reproduce the issue, so have created the following bug report for it:
https://bugzilla.mozilla.org/show_bug.cgi?id=1368523
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

Soothsayer wrote:I just updated to the latest nightly and can now reproduce the issue, so have created the following bug report for it:
https://bugzilla.mozilla.org/show_bug.cgi?id=1368523
Thanks, have set the bug to NEW
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

For those that do not feel comforatable with the change as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1366100 which is the change to ignore Domain-validated Certs that is allowing the site to work in latest NIghtly builds.

Setting pref: security.OCSP.enabled to '8' reverts to the old behavior and the site is not blocked on 'revoked cert'.
Soothsayer
Posts: 252
Joined: June 23rd, 2004, 8:24 am

Re: Site blocked in IE & Edge not Nightly ?

Post by Soothsayer »

Thanks.

Are you sure the setting should be '8' though? The way I read 1366100, the new default is '2' and setting it back to '1' should give the old behaviour.

What an incredibly strange decision from Mozilla though. In which parallel dimension is switching off an important security check considered a good idea? Unbelievable!
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

Soothsayer wrote:Thanks.

Are you sure the setting should be '8' though? The way I read 1366100, the new default is '2' and setting it back to '1' should give the old behaviour.

What an incredibly strange decision from Mozilla though. In which parallel dimension is switching off an important security check considered a good idea? Unbelievable!
Actually I"m not sure, thought I saw in 1366100 the value was '8', let me see if I can decipher the patch.

EDIT: Not sure where I got '8', it should be '1' and setting it there blocked the site as well. Thanks.
TheVisitor
Posts: 5469
Joined: May 13th, 2012, 10:43 am

Re: Site blocked in IE & Edge not Nightly ?

Post by TheVisitor »

Well if that isn't a kick (you know where) Performance over Security

bugs recently filed were WONTFIX -
https://bugzilla.mozilla.org/show_bug.cgi?id=1368523 Revoked certificates are accepted by Firefox [regression]
--- Comment #7 from David Keeler [:keeler] (use needinfo?) <dkeeler@mozilla.com> 2017-05-31 16:15:12 PDT --- This article provides good background for this issue:
https://www.imperialviolet.org/2014/04/ ... cking.html
Long story short is active OCSP doesn't prevent attacks, it makes the TLS handshake slower, and there are some privacy concerns. Consequently, we're experimenting with disabling it. Since revocation is sometimes essential, Mozilla has a mechanism similar to Chrome's CRLSets (we call it OneCRL).
Again for those that want the security for 'Revoked Certs'
Setting pref: security.OCSP.enabled to '2' reverts to the old behavior and the site is not blocked on 'revoked cert'.

I strongly suspect that any performance 'hit' will not even noticed by the end user.

I've not read yet the above link and the developer did not explain if 'OneCRL' is in latest Nightly or still to come. I feel they have put ALL Nightly testers at risk for exploits through a malicious site with a revoked cert.

I for one am getting tired of the 'When I grow up I wanna be just like Chrome' attitude of Mozilla lately. Might be getting close to going back to IE11 and just kiss Firefox bye-bye, and cut my losses for 14 years of dedication/support and troubleshooting.
Post Reply