From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: bug#32833: IceCat 60 showing sites as "insecure" despite using HTTPS
Date: Tue, 25 Sep 2018 18:01:19 -0400
Message-ID: <87o9clck40.fsf@netris.org>
References: <87k1nadx4v.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42118)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g4vPD-0000R8-E4
	for bug-guix@gnu.org; Tue, 25 Sep 2018 18:02:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g4vPA-0005of-1S
	for bug-guix@gnu.org; Tue, 25 Sep 2018 18:02:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:49876)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1g4vP9-0005nT-C2
	for bug-guix@gnu.org; Tue, 25 Sep 2018 18:02:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g4vP9-0004fG-5b
	for bug-guix@gnu.org; Tue, 25 Sep 2018 18:02:03 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.32833.B32833.153791289717893@debbugs.gnu.org>
In-Reply-To: <87k1nadx4v.fsf@gnu.org> (Mike Gerwitz's message of "Tue, 25 Sep
	2018 00:22:24 -0400")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Mike Gerwitz <mtg@gnu.org>
Cc: 32833@debbugs.gnu.org

severity 32833 critical
thanks

Hi Mike,

Mike Gerwitz <mtg@gnu.org> writes:
> Even if sites are using HTTPS, IceCat is still saying "This connection
> is insecure" if you click on the "i" icon in the URL bar.  This seems to
> be a problem with every HTTPS site I visit.
>
> On the "Security" tab of the "Page Info" dialog, under "Technical
> Details", no certificate information is listed; it simply says
> "Connection Not Encrypted".  That's clearly not true, otherwise the page
> would fail to load.  I've tried with sites that use HSTS and don't even
> support plaintext connections (e.g. my own)---the pages load just fine.
>
> I haven't played around with sites with expired certificates or anything
> yet.  But if IceCat is not reporting security status correctly, then
> users may be at risk, so be careful in the meantime!

Thanks for reporting this.  I see the same problem, which is a surprise.
I would have expected some notification that something went wrong, but I
don't remember any.

Given the severity of this issue, we should prioritize deploying a
working fix ASAP, even if it's an ugly hack or workaround.

To begin, I'm currently building IceCat using the bundled NSPR and NSS,
to see if that helps.  If that fails, I'll look more closely at IceCat's
customizations to the default "about:config" settings.  The 'strace'
output might also have some clues.

I would welcome others to make their own efforts to find a fix for this
issue, or to share their ideas.

> I don't know if this is a problem specific to Guix or upstream; I can
> give IceCat a try in a Debian VM tomorrow.

Please do.  It would be _very_ helpful to know if this problem is
Guix-specific.

    Thanks,
      Mark