From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS Date: Tue, 25 Sep 2018 00:22:24 -0400 Message-ID: <87k1nadx4v.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48496) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g4ez6-0001iL-Bs for bug-guix@gnu.org; Tue, 25 Sep 2018 00:30:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g4ez5-0001Zc-AP for bug-guix@gnu.org; Tue, 25 Sep 2018 00:30:04 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:48455) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g4ez5-0001ZY-6z for bug-guix@gnu.org; Tue, 25 Sep 2018 00:30:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1g4ez5-0004qd-2b for bug-guix@gnu.org; Tue, 25 Sep 2018 00:30:03 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48032) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g4eyb-0001TP-DR for bug-guix@gnu.org; Tue, 25 Sep 2018 00:29:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g4esL-00052y-Mo for bug-guix@gnu.org; Tue, 25 Sep 2018 00:23:06 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49375) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g4esL-00052m-HC for bug-guix@gnu.org; Tue, 25 Sep 2018 00:23:05 -0400 Received: from localhost ([::1]:58178 helo=mikegerwitz-pc.gerwitz.local) by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1g4esK-0001WR-BH for bug-guix@gnu.org; Tue, 25 Sep 2018 00:23:05 -0400 List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 32833@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I don't know if this is a problem specific to Guix or upstream; I can give IceCat a try in a Debian VM tomorrow. But I want to make others aware of the problem in the meantime: Even if sites are using HTTPS, IceCat is still saying "This connection is insecure" if you click on the "i" icon in the URL bar. This seems to be a problem with every HTTPS site I visit. On the "Security" tab of the "Page Info" dialog, under "Technical Details", no certificate information is listed; it simply says "Connection Not Encrypted". That's clearly not true, otherwise the page would fail to load. I've tried with sites that use HSTS and don't even support plaintext connections (e.g. my own)---the pages load just fine. I haven't played around with sites with expired certificates or anything yet. But if IceCat is not reporting security status correctly, then users may be at risk, so be careful in the meantime! =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJbqbgAAAoJEIyRe39dxRuiUCAQAK7X0IkzrupMHKTepe8Hk6kk oCQVWJPNaMcwEknghYFISg7LZJmP7AtlujzkTv85A4dvzeQKbMuOklQcJ3wbVmju PdxNThdSHJ/jGsDHM/P3spberUP+rC8XtFqGFefGHLdF0//PaLXwncEK8ePvUpai Y0EpyAiEl18B54sTNPijFA4jEXvNsaxnH87AdjcRLdb08M6DkShG6ND0VcAbdq8O 5HBkmr2USH/bJx7aatR3ItT9uMR4vaaCJ9j+6iMEltZAmWPVum8Jcj/AmKeNgBKf t+tBQftuzW6N7kV5TGcY6J2ROaMp5TI32PQCYpmAyYY8vaDEb26PDZDaIZ4aDDtj 9Ay1aSjyrLQBLo002gKEvIkcnOQpoafHSc+BJAGbb3qZRn2QQ0oh99wOZWh9pRWv jRI4Ts5DXBGMM/KPk2uNQvoworaZW11h3w2t8xAS3UqA0Z7xBt5idXBXK8M/NhUg Qs2G8FTR6PyqF6LMhGlFjfHe21gsJ/aUf20RFw8lUdJWSG+Etpxqj4ayPpcmHfZh 1i/KZlfktAu4FLp/lqlqfdcVxJfVf1fL5M9WZ4zYlRCAh+SmZb7n/L7dbTPAzmOO vQpaetoNjxpgzpP3cqHpibk9X9c1BYGDlvcWWRIO3YhZ1M4NiGe13//GMTaDFbgs oxu8drjYbE/EltEfw4CA =Iw+E -----END PGP SIGNATURE----- --=-=-=--