bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS
@ 2018-09-25  4:22 Mike Gerwitz
  2018-09-25 22:01 ` Mark H Weaver
  0 siblings, 1 reply; 6+ messages in thread
From: Mike Gerwitz @ 2018-09-25  4:22 UTC (permalink / raw)
  To: 32833

[-- Attachment #1: Type: text/plain, Size: 1090 bytes --]

I don't know if this is a problem specific to Guix or upstream; I can
give IceCat a try in a Debian VM tomorrow.  But I want to make others
aware of the problem in the meantime:

Even if sites are using HTTPS, IceCat is still saying "This connection
is insecure" if you click on the "i" icon in the URL bar.  This seems to
be a problem with every HTTPS site I visit.

On the "Security" tab of the "Page Info" dialog, under "Technical
Details", no certificate information is listed; it simply says
"Connection Not Encrypted".  That's clearly not true, otherwise the page
would fail to load.  I've tried with sites that use HSTS and don't even
support plaintext connections (e.g. my own)---the pages load just fine.

I haven't played around with sites with expired certificates or anything
yet.  But if IceCat is not reporting security status correctly, then
users may be at risk, so be careful in the meantime!

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS
  2018-09-25  4:22 bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS Mike Gerwitz
@ 2018-09-25 22:01 ` Mark H Weaver
  2018-09-26  0:16   ` Mark H Weaver
  0 siblings, 1 reply; 6+ messages in thread
From: Mark H Weaver @ 2018-09-25 22:01 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: 32833

severity 32833 critical
thanks

Hi Mike,

Mike Gerwitz <mtg@gnu.org> writes:
> Even if sites are using HTTPS, IceCat is still saying "This connection
> is insecure" if you click on the "i" icon in the URL bar.  This seems to
> be a problem with every HTTPS site I visit.
>
> On the "Security" tab of the "Page Info" dialog, under "Technical
> Details", no certificate information is listed; it simply says
> "Connection Not Encrypted".  That's clearly not true, otherwise the page
> would fail to load.  I've tried with sites that use HSTS and don't even
> support plaintext connections (e.g. my own)---the pages load just fine.
>
> I haven't played around with sites with expired certificates or anything
> yet.  But if IceCat is not reporting security status correctly, then
> users may be at risk, so be careful in the meantime!

Thanks for reporting this.  I see the same problem, which is a surprise.
I would have expected some notification that something went wrong, but I
don't remember any.

Given the severity of this issue, we should prioritize deploying a
working fix ASAP, even if it's an ugly hack or workaround.

To begin, I'm currently building IceCat using the bundled NSPR and NSS,
to see if that helps.  If that fails, I'll look more closely at IceCat's
customizations to the default "about:config" settings.  The 'strace'
output might also have some clues.

I would welcome others to make their own efforts to find a fix for this
issue, or to share their ideas.

> I don't know if this is a problem specific to Guix or upstream; I can
> give IceCat a try in a Debian VM tomorrow.

Please do.  It would be _very_ helpful to know if this problem is
Guix-specific.

    Thanks,
      Mark

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS
  2018-09-25 22:01 ` Mark H Weaver
@ 2018-09-26  0:16   ` Mark H Weaver
  2018-09-26  0:30     ` Mike Gerwitz
  0 siblings, 1 reply; 6+ messages in thread
From: Mark H Weaver @ 2018-09-26  0:16 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: 32833

Mark H Weaver <mhw@netris.org> writes:
> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
> to see if that helps.

Using the bundled NSPR and NSS works around the problem for me.  I just
pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
'master'.  See also the related, immediately preceding commits
257e3247910610fe24ae1b86f38e85552d53e48c and
94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.

I'm keeping this bug report open, since it would be good to find a
better fix which avoids using the bundled libraries.

      Mark

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS
  2018-09-26  0:16   ` Mark H Weaver
@ 2018-09-26  0:30     ` Mike Gerwitz
  2018-09-26  4:55       ` Mike Gerwitz
  2023-08-29  3:40       ` bug#32833: IceCat 60 certificate validation fails when using system NSS Maxim Cournoyer
  0 siblings, 2 replies; 6+ messages in thread
From: Mike Gerwitz @ 2018-09-26  0:30 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 32833

[-- Attachment #1: Type: text/plain, Size: 976 bytes --]

On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
> Mark H Weaver <mhw@netris.org> writes:
>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>> to see if that helps.
>
> Using the bundled NSPR and NSS works around the problem for me.  I just
> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
> 'master'.  See also the related, immediately preceding commits
> 257e3247910610fe24ae1b86f38e85552d53e48c and
> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.

Great!

> I'm keeping this bug report open, since it would be good to find a
> better fix which avoids using the bundled libraries.

I wish I knew enough to suggest a better solution.

It's a little late now, but I just tested the IceCat binary on a Debian
machine and HTTPS works as expected.

Thanks again for your work on this.  Maybe I'll let IceCat build
overnight so I can give it a try tomorrow (still on my X200).

-- 
Mike Gerwitz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS
  2018-09-26  0:30     ` Mike Gerwitz
@ 2018-09-26  4:55       ` Mike Gerwitz
  2023-08-29  3:40       ` bug#32833: IceCat 60 certificate validation fails when using system NSS Maxim Cournoyer
  1 sibling, 0 replies; 6+ messages in thread
From: Mike Gerwitz @ 2018-09-26  4:55 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 32833

[-- Attachment #1: Type: text/plain, Size: 224 bytes --]

On Tue, Sep 25, 2018 at 20:30:57 -0400, Mike Gerwitz wrote:
> Thanks again for your work on this.  Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).

LGTM.

-- 
Mike Gerwitz

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#32833: IceCat 60 certificate validation fails when using system NSS
  2018-09-26  0:30     ` Mike Gerwitz
  2018-09-26  4:55       ` Mike Gerwitz
@ 2023-08-29  3:40       ` Maxim Cournoyer
  1 sibling, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2023-08-29  3:40 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: Mark H Weaver, 32833-done

Hello,

Mike Gerwitz <mtg@gnu.org> writes:

> On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
>> Mark H Weaver <mhw@netris.org> writes:
>>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>>> to see if that helps.
>>
>> Using the bundled NSPR and NSS works around the problem for me.  I just
>> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
>> 'master'.  See also the related, immediately preceding commits
>> 257e3247910610fe24ae1b86f38e85552d53e48c and
>> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.
>
> Great!
>
>> I'm keeping this bug report open, since it would be good to find a
>> better fix which avoids using the bundled libraries.
>
> I wish I knew enough to suggest a better solution.
>
> It's a little late now, but I just tested the IceCat binary on a Debian
> machine and HTTPS works as expected.
>
> Thanks again for your work on this.  Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).

I'm closing this issue, since we're now using the Guix provided nss and
nspr packages for building IceCat since a while, and there doesn't
appear to be an issue with doing so.

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-08-29  3:41 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-25  4:22 bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS Mike Gerwitz
2018-09-25 22:01 ` Mark H Weaver
2018-09-26  0:16   ` Mark H Weaver
2018-09-26  0:30     ` Mike Gerwitz
2018-09-26  4:55       ` Mike Gerwitz
2023-08-29  3:40       ` bug#32833: IceCat 60 certificate validation fails when using system NSS Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).