[gentoo-user] Is this a bug in firefox-36.0?

[gentoo-user] Is this a bug in firefox-36.0?

[walt]

I get a certificate verification error when visiting https://www.att.com
using firefox-36.0, but not when using chrome-41.0.2272.76.

Anyone else see the same with firefox-36?

BTW, I tried the latest firefox in a Win7 virtual machine and I was
shocked to see that firefox was updating itself when I was logged in
as an unprivileged user (i.e. *not* an Administrator).  Are the idiots
at M$ *really* that stupid?  They've learned nothing, apparently, since
Win 95 :(

BTW, the Win7 firefox also flagged an error when visiting the web site
I mentioned above, but the error was displayed so subtly that I would
have missed it if I hadn't been looking for it specifically.  Very bad
behavior.

Re: [gentoo-user] Is this a bug in firefox-36.0?

[Daniel Frey]

On 03/17/2015 04:49 PM, walt wrote:
> I get a certificate verification error when visiting https://www.att.com
> using firefox-36.0, but not when using chrome-41.0.2272.76.
> 
> Anyone else see the same with firefox-36?

I haven't tried, honestly. But I have had problems with Firefox not
including some intermediary certificates before. That breaks the whole
chain of trust.

> BTW, I tried the latest firefox in a Win7 virtual machine and I was
> shocked to see that firefox was updating itself when I was logged in
> as an unprivileged user (i.e. *not* an Administrator).  Are the idiots
> at M$ *really* that stupid?  They've learned nothing, apparently, since
> Win 95 :(

Remove the 'Mozilla Maintenance Service' from Programs & Features (or
whatever it's called) and it won't auto update. Mozilla installs a
privileged service that auto updates its software.


Dan

Re: [gentoo-user] Is this a bug in firefox-36.0?

[Zhu Sha Zang]

On 03/17/2015 07:49 PM, walt wrote:
> I get a certificate verification error when visiting https://www.att.com
> using firefox-36.0, but not when using chrome-41.0.2272.76.
>
> Anyone else see the same with firefox-36?
>
> BTW, I tried the latest firefox in a Win7 virtual machine and I was
> shocked to see that firefox was updating itself when I was logged in
> as an unprivileged user (i.e. *not* an Administrator).  Are the idiots
> at M$ *really* that stupid?  They've learned nothing, apparently, since
> Win 95 :(
>
> BTW, the Win7 firefox also flagged an error when visiting the web site
> I mentioned above, but the error was displayed so subtly that I would
> have missed it if I hadn't been looking for it specifically.  Very bad
> behavior.
>
>
I don't know if the test include log in the page. As I don't have a 
login information I was able only to access the site:

Everything normal here.

Best Regards

[gentoo-user] Re: Is this a bug in firefox-36.0?

[walt]

On 03/17/2015 05:47 PM, Daniel Frey wrote:
> Mozilla installs a
> privileged service that auto updates its software.

Interesting.  I didn't know about 'privileged services' in Windows.
I hope M$ grants these 'privileges' carefully.

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Daniel Frey]

On 03/17/2015 06:15 PM, walt wrote:
> On 03/17/2015 05:47 PM, Daniel Frey wrote:
>> Mozilla installs a
>> privileged service that auto updates its software.
> 
> Interesting.  I didn't know about 'privileged services' in Windows.
> I hope M$ grants these 'privileges' carefully.

You mean the user. Any app can install a service like that if the user
lets them. I'm assuming Mozilla's service runs as a SYSTEM user so it
can modify things, but I've never cared enough to look. I always remove
the Mozilla Maintenance Service and update manually.

Dan

Re: [gentoo-user] Is this a bug in firefox-36.0?

[Fernando Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 1431 bytes --]

On Tuesday, March 17, 2015 4:49:54 PM walt wrote:
> I get a certificate verification error when visiting https://www.att.com
> using firefox-36.0, but not when using chrome-41.0.2272.76.
> 
> Anyone else see the same with firefox-36?
> 
> BTW, I tried the latest firefox in a Win7 virtual machine and I was
> shocked to see that firefox was updating itself when I was logged in
> as an unprivileged user (i.e. *not* an Administrator).  Are the idiots
> at M$ *really* that stupid?  They've learned nothing, apparently, since
> Win 95 :(
> 
> BTW, the Win7 firefox also flagged an error when visiting the web site
> I mentioned above, but the error was displayed so subtly that I would
> have missed it if I hadn't been looking for it specifically.  Very bad
> behavior.
> 

Technically the issue is with att's SSL certificate. It may be that they got a 
cheap certificate (meaning it's provides encryption but the CA did not verificy 
that ATT is a legit company) or it may be an issue with the certificate.

It doesn't give any warning for me, it just shows an exclamation next to the 
address and the latest chromium does the same (it shows a triangle) and it 
gives you more info: "The identity of this website has been verified by Verizon 
Akamai SureSever CA G14-SHA1 but does not have public audit records."

If you're concerned about it contact AT&T and let them know.


-- 
Fernando Rodriguez

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Is this a bug in firefox-36.0?

[Fernando Rodriguez]

On Tuesday, March 17, 2015 4:49:54 PM walt wrote:
> BTW, I tried the latest firefox in a Win7 virtual machine and I was
> shocked to see that firefox was updating itself when I was logged in
> as an unprivileged user (i.e. *not* an Administrator).  Are the idiots
> at M$ *really* that stupid?  They've learned nothing, apparently, since
> Win 95 :(

At the risk of being flamed, the security model of NT operating systems is 
actually far superior to that of Linux with all the disaster kits. The problem 
is that Windows users don't want to be bothered with security settings. When 
the set the default to ask for password on vista they where flooded with 
negative feedback. MS being a commercial company would indeed be stupid not to 
give them what they want.

As a user you could use an unprivileged account and use runas just like sudo 
on Linux but that's too much for Windows users so they took it a step further, 
even if you got admin rights it will ask for permission (optionally password) 
before doing anything privileged, still users blindly click OK on those 
dialogs (like you did with firefox).

If firefox follows MS guidelines it won't let an unpriviliged user (unless an 
user with admin rights explicitly sets an option allowing it, probably during 
install) update it even technically it can cause you allowed it to install.

-- 
Fernando Rodriguez

Re: [gentoo-user] Is this a bug in firefox-36.0?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2261 bytes --]

On Wednesday 18 Mar 2015 03:53:57 Fernando Rodriguez wrote:
> On Tuesday, March 17, 2015 4:49:54 PM walt wrote:
> > I get a certificate verification error when visiting https://www.att.com
> > using firefox-36.0, but not when using chrome-41.0.2272.76.
> > 
> > Anyone else see the same with firefox-36?
> > 
> > BTW, I tried the latest firefox in a Win7 virtual machine and I was
> > shocked to see that firefox was updating itself when I was logged in
> > as an unprivileged user (i.e. *not* an Administrator).  Are the idiots
> > at M$ *really* that stupid?  They've learned nothing, apparently, since
> > Win 95 :(
> > 
> > BTW, the Win7 firefox also flagged an error when visiting the web site
> > I mentioned above, but the error was displayed so subtly that I would
> > have missed it if I hadn't been looking for it specifically.  Very bad
> > behavior.
> 
> Technically the issue is with att's SSL certificate. It may be that they
> got a cheap certificate (meaning it's provides encryption but the CA did
> not verificy that ATT is a legit company) or it may be an issue with the
> certificate.
> 
> It doesn't give any warning for me, it just shows an exclamation next to
> the address and the latest chromium does the same (it shows a triangle)
> and it gives you more info: "The identity of this website has been
> verified by Verizon Akamai SureSever CA G14-SHA1 but does not have public
> audit records."
> 
> If you're concerned about it contact AT&T and let them know.

I also don't see a (pop-up) warning on Firefox 31.5.0 and Chromium 
41.0.2272.76, but both browsers complain for two things by means of 
exclamation marks in their address bar:

1. Some components on the page (pictures) are not secure.  It is common 
practice to load pictures from a picture library on a different server to 
where the main web page content is served, but they should secure all content 
with the same keys to avoid confusion.

2. The lack of Audit records for the wildcard certificate the site is using.  
This is a new security check and relates to certificate transparency, which 
aims to protect us from rogue or compromised CAs:

 http://www.certificate-transparency.org/what-is-ct


-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

[gentoo-user] Re: Is this a bug in firefox-36.0?

[»Q«]

On Tue, 17 Mar 2015 17:47:04 -0700
Daniel Frey <djqfrey@gmail.com> wrote:

> On 03/17/2015 04:49 PM, walt wrote:
> > I get a certificate verification error when visiting
> > https://www.att.com using firefox-36.0, but not when using
> > chrome-41.0.2272.76.
> > 
> > Anyone else see the same with firefox-36?

FWIW, I don't see an error with firefox-36.0.1 and nss-3.17.4

> > BTW, I tried the latest firefox in a Win7 virtual machine and I was
> > shocked to see that firefox was updating itself when I was logged in
> > as an unprivileged user (i.e. *not* an Administrator).  Are the
> > idiots at M$ *really* that stupid?  They've learned nothing,
> > apparently, since Win 95 :(
> 
> Remove the 'Mozilla Maintenance Service' from Programs & Features (or
> whatever it's called) and it won't auto update. Mozilla installs a
> privileged service that auto updates its software.

It will still auto-update, but it won't do so silently -- without the
service, automagic updates will trigger Windows' warning prompt.  To
just turn off autoupdate, there's a checkbox in the Firefox GUI. 

[gentoo-user] Re: Is this a bug in firefox-36.0?

[walt]

On 03/17/2015 04:49 PM, walt wrote:
> I get a certificate verification error when visiting https://www.att.com
> using firefox-36.0, but not when using chrome-41.0.2272.76.

Thanks to all who replied.  I'm surprised by the variety of different results
you reported.

(BTW, I'm running firefox-bin-36.0, so the behavior may be a bit different from
the gentoo build.)

FF will not even show me the secure att.com webpage.  I get an entire html page
with this (very big) error message:

Secure Connection Failed

An error occurred during a connection to www.att.com. The OCSP server experienced
an internal error. (Error code: sec_error_ocsp_server_error)

The page you are trying to view cannot be shown because the authenticity of the
received data could not be verified.

Please contact the website owners to inform them of this problem.


Am I the only one seeing this error message on firefox?  I'll try compiling the
gentoo version to see if the behavior is different.

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Daniel Frey]

On 03/18/2015 04:41 PM, walt wrote:
> On 03/17/2015 04:49 PM, walt wrote:
>> I get a certificate verification error when visiting https://www.att.com
>> using firefox-36.0, but not when using chrome-41.0.2272.76.
> 
> Thanks to all who replied.  I'm surprised by the variety of different results
> you reported.
> 
> (BTW, I'm running firefox-bin-36.0, so the behavior may be a bit different from
> the gentoo build.)
> 
> FF will not even show me the secure att.com webpage.  I get an entire html page
> with this (very big) error message:
> 
> Secure Connection Failed
> 
> An error occurred during a connection to www.att.com. The OCSP server experienced
> an internal error. (Error code: sec_error_ocsp_server_error)
> 
> The page you are trying to view cannot be shown because the authenticity of the
> received data could not be verified.
> 
> Please contact the website owners to inform them of this problem.
> 
> 
> Am I the only one seeing this error message on firefox?  I'll try compiling the
> gentoo version to see if the behavior is different.
> 
> 
> 

I'm using:

# equery list firefox
 * Searching for firefox ...
[IP-] [  ] www-client/firefox-36.0.1:0

(not the -bin)

and I also get the triangle in the URL stating the website doesn't
supply identify information. It does load for me, though.

Dan

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Fernando Rodriguez]

On Wednesday, March 18, 2015 4:41:25 PM walt wrote:
> On 03/17/2015 04:49 PM, walt wrote:
> > I get a certificate verification error when visiting https://www.att.com
> > using firefox-36.0, but not when using chrome-41.0.2272.76.
> 
> Thanks to all who replied.  I'm surprised by the variety of different results
> you reported.
> 
> (BTW, I'm running firefox-bin-36.0, so the behavior may be a bit different 
from
> the gentoo build.)
> 
> FF will not even show me the secure att.com webpage.  I get an entire html 
page
> with this (very big) error message:
> 
> Secure Connection Failed
> 
> An error occurred during a connection to www.att.com. The OCSP server 
experienced
> an internal error. (Error code: sec_error_ocsp_server_error)
> 
> The page you are trying to view cannot be shown because the authenticity of 
the
> received data could not be verified.
> 
> Please contact the website owners to inform them of this problem.
> 
> 

That sounds more like a networking issue. Are you behind a firewall? Is it 
possible that you somehow blocked their OCSP server? Can you bypass the 
firewall for testing?

It also looks like firefox caches the error: 
http://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page but you're having this issue for a while and more than 
one device now so it's not likely that it was a temporary problem.

-- 
Fernando Rodriguez

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 1481 bytes --]

Am Wed, 18 Mar 2015 16:41:25 -0700
schrieb walt <w41ter@gmail.com>:

[...]
> FF will not even show me the secure att.com webpage.  I get an entire html page
> with this (very big) error message:
> 
> Secure Connection Failed
> 
> An error occurred during a connection to www.att.com. The OCSP server experienced
> an internal error. (Error code: sec_error_ocsp_server_error)
> 
> The page you are trying to view cannot be shown because the authenticity of the
> received data could not be verified.
> 
> Please contact the website owners to inform them of this problem.
> 
> 
> Am I the only one seeing this error message on firefox?  I'll try compiling the
> gentoo version to see if the behavior is different.

OCSP has nothing to do with AT&T, it is a security feature that is supposed to
help verify the authenticity of certificates.  From what I've read on tech
news sites, it has fallen out of favor precisely due to issues like this
(Chrome has deactivated it, for example). See
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol; also see
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning for one (the?)
replacement.

(Note that I am speaking as a user, so feel free to clarify if I'm not being
100% correct.)

As to how to work around it, perhaps it makes sense to turn the feature off?

HTH
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[gentoo-user] Re: Is this a bug in firefox-36.0?

[walt]

On 03/18/2015 06:06 PM, Fernando Rodriguez wrote:
> On Wednesday, March 18, 2015 4:41:25 PM walt wrote:
>> On 03/17/2015 04:49 PM, walt wrote:
>>> I get a certificate verification error when visiting https://www.att.com
>>> using firefox-36.0, but not when using chrome-41.0.2272.76.
>>
>> Thanks to all who replied.  I'm surprised by the variety of different results
>> you reported.
>>
>> (BTW, I'm running firefox-bin-36.0, so the behavior may be a bit different 
> from
>> the gentoo build.)
>>
>> FF will not even show me the secure att.com webpage.  I get an entire html 
> page
>> with this (very big) error message:
>>
>> Secure Connection Failed
>>
>> An error occurred during a connection to www.att.com. The OCSP server 
> experienced
>> an internal error. (Error code: sec_error_ocsp_server_error)
>>
>> The page you are trying to view cannot be shown because the authenticity of 
> the
>> received data could not be verified.
>>
>> Please contact the website owners to inform them of this problem.
>>
>>
> 
> That sounds more like a networking issue. Are you behind a firewall? Is it 
> possible that you somehow blocked their OCSP server? Can you bypass the 
> firewall for testing?

Wow, creepy.  I forced a warm reboot of my home wireless router and the problem
went away.  I now see the gray triangle with the ! and I have no idea how long
ago that started.  I probably just didn't notice it until this router screw-up
happened.  And I don't even want to think about why my home router suddenly
changed behavior :(

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Fernando Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 1946 bytes --]

On Thursday, March 19, 2015 3:57:05 AM walt wrote:
> On 03/18/2015 06:06 PM, Fernando Rodriguez wrote:
> > On Wednesday, March 18, 2015 4:41:25 PM walt wrote:
> >> On 03/17/2015 04:49 PM, walt wrote:
> >>> I get a certificate verification error when visiting https://www.att.com
> >>> using firefox-36.0, but not when using chrome-41.0.2272.76.
> >>
> >> Thanks to all who replied.  I'm surprised by the variety of different 
results
> >> you reported.
> >>
> >> (BTW, I'm running firefox-bin-36.0, so the behavior may be a bit different 
> > from
> >> the gentoo build.)
> >>
> >> FF will not even show me the secure att.com webpage.  I get an entire 
html 
> > page
> >> with this (very big) error message:
> >>
> >> Secure Connection Failed
> >>
> >> An error occurred during a connection to www.att.com. The OCSP server 
> > experienced
> >> an internal error. (Error code: sec_error_ocsp_server_error)
> >>
> >> The page you are trying to view cannot be shown because the authenticity 
of 
> > the
> >> received data could not be verified.
> >>
> >> Please contact the website owners to inform them of this problem.
> >>
> >>
> > 
> > That sounds more like a networking issue. Are you behind a firewall? Is it 
> > possible that you somehow blocked their OCSP server? Can you bypass the 
> > firewall for testing?
> 
> Wow, creepy.  I forced a warm reboot of my home wireless router and the 
problem
> went away.  I now see the gray triangle with the ! and I have no idea how 
long
> ago that started.  I probably just didn't notice it until this router screw-
up
> happened.  And I don't even want to think about why my home router suddenly
> changed behavior :(

It probably started Jan 20 when they renewed the certificate. See 
http://www.certificate-transparency.org/ev-ct-plan (from Mick's link). It 
refers to chrome but probably applies to firefox as well.

-- 
Fernando Rodriguez

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[gentoo-user] Re: Is this a bug in firefox-36.0?

[»Q«]

On Wed, 18 Mar 2015 16:41:25 -0700
walt <w41ter@gmail.com> wrote:

> (BTW, I'm running firefox-bin-36.0, so the behavior may be a bit
> different from the gentoo build.)
> 
> FF will not even show me the secure att.com webpage.  I get an entire
> html page with this (very big) error message:
> 
> Secure Connection Failed
> 
> An error occurred during a connection to www.att.com. The OCSP server
> experienced an internal error. (Error code:
> sec_error_ocsp_server_error)
> 
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.

Why didn't you say so?  ;)

Enter "about:config" in the address bar, search for
"security.OCSP.require" and toggle it to false, which is the default
(Mozilla's shipped default, at least).  OCSP will still be checked when
possible, but you shouldn't be locked out any more when it's not
possible.

[gentoo-user] Re: Is this a bug in firefox-36.0?

[walt]

On 03/19/2015 05:15 PM, »Q« wrote:
>> The OCSP server
>> > experienced an internal error. (Error code:
>> > sec_error_ocsp_server_error)
>> > 
>> > The page you are trying to view cannot be shown because the
>> > authenticity of the received data could not be verified.

> Why didn't you say so?  ;)
> 
> Enter "about:config" in the address bar, search for
> "security.OCSP.require" and toggle it to false, which is the default
> (Mozilla's shipped default, at least).

Very interesting, thanks.

Now that I have an expert's brain to pick :)  maybe you can answer two
more questions for me:

I know I didn't change that flag myself, but something did.  Do you
know if firefox extensions/addons can change the items in about:config?

Second, I "fixed" the problem once by rebooting my wireless router, but
got the same error again early this morning -- which I "fixed" once again
by rebooting my wireless router.  This makes me worry that somebody out
there in the evil internet might be changing the security settings of my
router (which is owned by my ISP and has remotely updateable firmware).

Thanks again.
  

[gentoo-user] Re: Is this a bug in firefox-36.0?

[»Q«]

On Fri, 20 Mar 2015 17:18:23 -0700
walt <w41ter@gmail.com> wrote:

> On 03/19/2015 05:15 PM, »Q« wrote:
> >> The OCSP server
> >> > experienced an internal error. (Error code:
> >> > sec_error_ocsp_server_error)
> >> > 
> >> > The page you are trying to view cannot be shown because the
> >> > authenticity of the received data could not be verified.
> 
> > Why didn't you say so?  ;)
> > 
> > Enter "about:config" in the address bar, search for
> > "security.OCSP.require" and toggle it to false, which is the default
> > (Mozilla's shipped default, at least).
> 
> Very interesting, thanks.
> 
> Now that I have an expert's brain to pick :)  maybe you can answer two
> more questions for me:
> 
> I know I didn't change that flag myself, but something did.  Do you
> know if firefox extensions/addons can change the items in
> about:config?

I won't cop to being an expert!  But yes, extensions can change
settings, and AFAIK if/when that happens there is no way to tell what
extension has done what to them.  If an extension changed that
particular setting, I'd guess it would be an extension meant to tighten
security.

> Second, I "fixed" the problem once by rebooting my wireless router,
> but got the same error again early this morning -- which I "fixed"
> once again by rebooting my wireless router.  This makes me worry that
> somebody out there in the evil internet might be changing the
> security settings of my router (which is owned by my ISP and has
> remotely updateable firmware).

Sorry, I have no idea how to investigate that.

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1037 bytes --]

On Saturday 21 Mar 2015 03:37:59 »Q« wrote:
> > Second, I "fixed" the problem once by rebooting my wireless router,
> > but got the same error again early this morning -- which I "fixed"
> > once again by rebooting my wireless router.  This makes me worry that
> > somebody out there in the evil internet might be changing the
> > security settings of my router (which is owned by my ISP and has
> > remotely updateable firmware).
> 
> Sorry, I have no idea how to investigate that.

Next time your router starts playing up, use nslookup and perhaps dig to query 
your router's DNS repeater, your ISPs resolvers and any other 3rd party DNS 
servers; e.g. openDNS, Google, or a DNS server from here:

http://www.circleid.com/posts/20110407_top_public_dns_resolvers_compared/

so that you can draw comparisons to help you determine where the problem lies.  
If it is your router, you can ask your ISP to replace it.

If the ISP is not cooperating could perhaps run your own local DNS resolver?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Re: Is this a bug in firefox-36.0?

[Peter Humphrey]

On Tuesday 24 March 2015 06:52:58 Mick wrote:

> Next time your router starts playing up, use nslookup and perhaps dig to
> query your router's DNS repeater, your ISPs resolvers and any other 3rd
> party DNS servers; e.g. openDNS, Google, or a DNS server from here:
> 
> http://www.circleid.com/posts/20110407_top_public_dns_resolvers_compared/
> 
> so that you can draw comparisons to help you determine where the problem
> lies. If it is your router, you can ask your ISP to replace it.
> 
> If the ISP is not cooperating could perhaps run your own local DNS
> resolver?

I do that here. Dnsmasq runs on a little box on the LAN and speeds up the 
whole Internet experience. It didn't help though when my router started 
misbehaving, as it still had to forward some queries and the router sat on 
those.

It was simple enough to reboot the router, once I'd found that was needed.

-- 
Rgds
Peter.