Re: [Firefox] Sometimes EV SSL indicators missing, F5 fixes it
Hi Tanvi, From your description, it sounds like bug https://bugzilla.mozilla.org/show_bug.cgi?id=947079 where an insecure load that is not associated with your employers page is causing the browser to classify the page as mixed content. thanks for pointing me in the right direction. I told both customers to open our page in a new tab to work around this issue until the patch gets incorporated into firefox. Regards, Marcel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
[Firefox] Sometimes EV SSL indicators missing, F5 fixes it
Hi list, in #security it was suggested i would post to this list rather than discussing the issue in IRC. My employer runs a website secured with an EV SSL cert issued by Comodo and tell all our customers on the login page that they should only enter their credentials if the address bar of their browser is indicating an EV SSL cert (green address bar, company name etc. with some screenshots for the average user). For the 2nd time in many months a customer reported to us that his firefox rendered the page but did *not* display a green address bar and no company name was visible. Instead firefox displayed an exclamation mark with the text This website does not supply identity information. when clicking on it. The customer sent screenshots to me confirming that he indeed got the right certificate - fingerprint and serial number matches so i guess there is no MITM taking place. Without restarting the firefox browser but only by pressing F5 firefox happily displayed all the EV SSL indicators while reloading the page. The page is hosted via Cloudflare (reverse proxy) but this shouldn't matter since the customer really is getting the right certificate. At first we suspected that the connection to the OCSP server failed but with the customers settings pasted below this should not be possible: security.OCSP.enabled = 1 security.OCSP.require = true about: version 32.0.3 Build identifier: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 about:buildconfig Build Machine toyol Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags gcc 4.8.2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-unused -Wcast-align -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe c++ 4.8.2 -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-invalid-offsetof -Wcast-align -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fomit-frame-pointer Configure arguments --host=x86_64-linux-gnu --prefix=/usr --libexecdir=/usr/lib/firefox --with-l10n-base=/build/buildd/firefox-32.0.3+build1/./l10n --srcdir=/build/buildd/firefox-32.0.3+build1/. --enable-release --disable-install-strip --disable-updater --enable-application=browser --enable-startup-notification --with-distribution-id=com.ubuntu --enable-optimize --enable-tests --enable-crashreporter --with-branding=browser/branding/official --disable-gnomevfs --enable-gio --enable-update-channel=release --disable-debug --disable-elf-hack --enable-gstreamer=1.0 --with-google-api-keyfile=/build/buildd/firefox-32.0.3+build1/debian/g ii firefox 32.0.3+build1-0ubuntu0.14.04.1 ii firefox-locale-en32.0.3+build1-0ubuntu0.14.04.1 ii libcurl3:amd64 7.35.0-1ubuntu2.1 ii libgnutls-openssl27:amd642.12.23-12ubuntu2.1 ii libnss-mdns:amd640.10-6 ii libnss3:amd642:3.17.1-0ubuntu0.14.04.1 ii libnss3-1d:amd64 2:3.17.1-0ubuntu0.14.04.1 ii libnss3-nssdb2:3.17.1-0ubuntu0.14.04.1 ii rhythmbox-mozilla3.0.2-0ubuntu2 ii totem-mozilla3.10.1-1ubuntu4 ii unity-scope-firefoxbookmarks 0.1+13.10.20130809.1-0ubuntu1 ii xul-ext-ubufox 2.9-0ubuntu0.14.04.1 ii xul-ext-unity3.0.0+14.04.20140416-0ubuntu1 ii xul-ext-webaccounts 0.5-0ubuntu2 ii xul-ext-websites-integration 2.3.6+13.10.20130920.1-0ubuntu1 Any ideas what might cause this no-EV-indicators-press-F5-then-all-is-fine behaviour? Since the customers initial report to us he was able to reproduce the issue two more times. Regards Marcel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: [Firefox] Sometimes EV SSL indicators missing, F5 fixes it
Hi Marcel, Thanks for reporting this issue! From your description, it sounds like bug https://bugzilla.mozilla.org/show_bug.cgi?id=947079 where an insecure load that is not associated with your employers page is causing the browser to classify the page as mixed content. We have a fix in the bug and it is under review. ~Tanvi On 10/8/14 2:10 AM, Marcel Meckel wrote: Hi list, in #security it was suggested i would post to this list rather than discussing the issue in IRC. My employer runs a website secured with an EV SSL cert issued by Comodo and tell all our customers on the login page that they should only enter their credentials if the address bar of their browser is indicating an EV SSL cert (green address bar, company name etc. with some screenshots for the average user). For the 2nd time in many months a customer reported to us that his firefox rendered the page but did *not* display a green address bar and no company name was visible. Instead firefox displayed an exclamation mark with the text This website does not supply identity information. when clicking on it. The customer sent screenshots to me confirming that he indeed got the right certificate - fingerprint and serial number matches so i guess there is no MITM taking place. Without restarting the firefox browser but only by pressing F5 firefox happily displayed all the EV SSL indicators while reloading the page. The page is hosted via Cloudflare (reverse proxy) but this shouldn't matter since the customer really is getting the right certificate. At first we suspected that the connection to the OCSP server failed but with the customers settings pasted below this should not be possible: security.OCSP.enabled = 1 security.OCSP.require = true about: version 32.0.3 Build identifier: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 about:buildconfig Build Machine toyol Build platform target x86_64-pc-linux-gnu Build tools Compiler Version Compiler flags gcc 4.8.2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-unused -Wcast-align -std=gnu99 -fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe c++ 4.8.2 -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-invalid-offsetof -Wcast-align -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fomit-frame-pointer Configure arguments --host=x86_64-linux-gnu --prefix=/usr --libexecdir=/usr/lib/firefox --with-l10n-base=/build/buildd/firefox-32.0.3+build1/./l10n --srcdir=/build/buildd/firefox-32.0.3+build1/. --enable-release --disable-install-strip --disable-updater --enable-application=browser --enable-startup-notification --with-distribution-id=com.ubuntu --enable-optimize --enable-tests --enable-crashreporter --with-branding=browser/branding/official --disable-gnomevfs --enable-gio --enable-update-channel=release --disable-debug --disable-elf-hack --enable-gstreamer=1.0 --with-google-api-keyfile=/build/buildd/firefox-32.0.3+build1/debian/g ii firefox 32.0.3+build1-0ubuntu0.14.04.1 ii firefox-locale-en 32.0.3+build1-0ubuntu0.14.04.1 ii libcurl3:amd64 7.35.0-1ubuntu2.1 ii libgnutls-openssl27:amd642.12.23-12ubuntu2.1 ii libnss-mdns:amd640.10-6 ii libnss3:amd642:3.17.1-0ubuntu0.14.04.1 ii libnss3-1d:amd64 2:3.17.1-0ubuntu0.14.04.1 ii libnss3-nssdb2:3.17.1-0ubuntu0.14.04.1 ii rhythmbox-mozilla3.0.2-0ubuntu2 ii totem-mozilla3.10.1-1ubuntu4 ii unity-scope-firefoxbookmarks 0.1+13.10.20130809.1-0ubuntu1 ii xul-ext-ubufox 2.9-0ubuntu0.14.04.1 ii xul-ext-unity3.0.0+14.04.20140416-0ubuntu1 ii xul-ext-webaccounts 0.5-0ubuntu2 ii xul-ext-websites-integration 2.3.6+13.10.20130920.1-0ubuntu1 Any ideas what might cause this no-EV-indicators-press-F5-then-all-is-fine behaviour? Since the customers initial report to us he was able to reproduce the issue two more times. Regards Marcel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto