Revoked certificates not trapped

[mrandreastoth]

Firefox Nightly (and most likely all editions) does not trap revoked certificates when such a site is visited (test facility to be provided in an update). This is highly concerning since the revolution of a certificate should be brought to the user's attention as it can indicate some concerning reasons why this was done, such as a previously OK site having gone rogue for whatever reason. Note that I have yet to find a browser, Firefox or otherwise, that actually handles revoked certificates. However, just because everyone fails does not mean Firefox should copy a bad habit, a habit that, according to the following link, goes way back...

https://www.zdnet.com/article/major-linux-rpm-problem-uncovered/

My suggestion: make all editions of Firefox warn on revoked certificates by default.

┆Issue is synchronized with this Jira Task

[Nickoriginal]

Confirmation: https://revoked.badssl.com/
No warning, no "Secure Connection Failed"

[mrandreastoth]

Confirmation: https://revoked.badssl.com/
No warning, no "Secure Connection Failed"

Interesting, my Firefox does the right thing and warns me, but I have used another test case for which it didn't. I must try to locate that test case when I can. Meanwhile I wonder why this test case worked. Could it be an extension that I have installed?

[Nickoriginal]

What extension do you have installed? I have only HTTPS Everywhere installed, but it doesn't warn me. 89.1.1, Android 10, 6.0.1

2021-07-02_15-16-50_001.mp4

[RachitKeertiDas]

I cannot reproduce this on the latest Fenix Nightly.

I get a "Secure Connection Failed" Error for https://revoked.badssl.com/ .

[Nickoriginal]

Tested in the latest Nightly 91.0a1 2021-07-01T17:41:24.496 on Samsung Galaxy A20s, Android 10, ETP disabled, no addons installed, app data was cleared before. Maybe there is a mistake with handling revoked certificates in my Firefox browsers?

2021-07-02_17-17-03_001.mp4

UPD 07.02: #20226 (comment)
#20226 (comment)
Confirmed in Nightly 91.0a1 2021-07-02T17:40:22.633 and 90.0.0-beta.6

[revolutionaryking7]

One thing I dislike how errors are handled..
It should clearly show why secure connection failed..
Is it because of certificate expired/revoked/unknown issuer etc

Not to forget unlike chromium browsers firefox android does not has option to view certificate details

[mrandreastoth]

What extension do you have installed? I have only HTTPS Everywhere installed, but it doesn't warn me. 89.1.1, Android 10, 6.0.1
2021-07-02_15-16-50_001.mp4

Hmm, I just realised all my security plug-ins (extensions) are disabled. So not sure what's going on.

[mrandreastoth]

One thing I dislike how errors are handled..
It should clearly show why secure connection failed..
Is it because of certificate expired/revoked/unknown issuer etc

Not to forget unlike chromium browsers firefox android does not has option to view certificate details

Absolutely agree. Knowing why can quite significantly affect a use's response. After all, a revoked certificate does suggest something fishy compared to an expired certificate, for example.

[mrandreastoth]

It's rather disconcerting that @Nickoriginal's Firefox doesn't fail. This must be investigated, understood, and resolved.

[Nickoriginal]

@mrandreastoth, I noticed, that https://revoked.badssl.com/ is starting to be flagged as dangerous after some time of browser use and, as you said, it doesn't depend on extensions because they can't call internal browser dialog pages. When opening it instantly after data cleaning (App Info -> Storage -> Clear data) Firefox does not show security notification in all editions on my device.
Do you can check my assumptions?

I must try to locate that test case when I can.

#20226 (comment)
You find it?

[Nickoriginal]

#20226 (comment)
Tracked as #19158

[stale]

See: #17373 This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.