On Sun, Sep 13, 2015 at 2:56 PM, AnilG <[email protected]> wrote:
Thanks Chris, I'll follow up with IT on this question. > You can check yourself if the chain you see chains up to the right root. In Chrome, click on the lock icon in the location bar, click the Connection Tab, and then click "Certificate information". This opens the Certificate Viewer. There, click the Details Tab and inspect the Certificate Hierarchy and each certificate's Certificate Fields. The root certificate should match the certificate your IT department gave you. Sounds like something basic but perhaps not so obvious if the IT preferred > (and test) browser (Chrome) is more permissive? But surely this is so basic > that (even) Chrome can't pretend a site is secured if there's no link to > the root certificate? > Chrome is not known for being permissive about certificate checking. :) And no, it's (I hope) very unlikely that Chrome is calling a certificate OK even without being able to chain to a root in your machine's root certificate store. You can verify that by following the steps above. Also, what does Safari do? I'm also following this up on evangelism@moz. I've got the impression that > there's global dissatisfaction with FF being "too strict" and it *seems* > like it's harder to get FF to "work" for IT? Or perhaps they just know > Chrome and not FF? > I also would not blame Firefox for being "too strict" here. Firefox' certificate validation policies are in line with industry norms. You shouldn't want any browser to blindly allow you to visit sites that should be secure but can't be validated as such due to a problem with the certificate chain. Keep in mind, your deployment scenario (enterprise MITM — presumably predicated on 'anti-virus' or 'data loss prevention') is identical to an actual attack, except that the IT department owns the computer and therefore it is OK for them to install this new root certificate. But no browser can 'know' that, except by seeing and using the certificate. So the good browser fails closed. > For me I'm currently working in Chrome because I *can't* work in FF. It's > been days now so this probably means I'm the last guy in my organisation > still hanging on to FF. I'm worried that this may be a global issue cutting > FF out of commercial (firewalled) use. > That is unlikely. Firefox is fine for these uses, and I'm sure it will turn out to be a glitch in the deployment or configuration. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
