View Site Certificate #8400
Comments
vesta0
added
Feature:Toolbar
vesta0
added
eng:ready
|
@vesta0 Is there anything left to do here? |
|
@mcarare this feature has not been built yet (can't view site certificate in mobile) but it's also not a priority for now that we have the "verified by" part in the app. |
perhaps the bigger problem is when the certificate can't be verified. if trust anchors are missing, or even if your clock is wrong, you are getting the same generic message with the only option to “accept the risk and continue”. no certificate information whatsoever, not even any clue as to what exactly went wrong. even more surprisingly, when you do in fact “accept the risk and continue”—without knowing what risk you are accepting—the app shows you the lock icon 🔒, and if you tap on it, you can see that the connection suddenly became “secure” and “verified”... !? ...that is, if the button works at all. i've got a website that upon clicking “accept the risks and continue” simply displays the button again. so i have no idea what's going on there. compare this to chrome that not only displays the certificates in all cases—even when they can't be verified—but also shows helpful messages such as “your clock is behind”. and it also displays a warning icon ⚠ in the toolbar instead of the lock if you decide to accept the risks. |
|
Hi @oakkitten, |
|
I've had a bunch of people email me about this today. I think all the code for |
|
How can we get this implemented asap? |
This is not working on latest stable version of Firefox for Android. |
|
It works on latest Nightly version which is a good workaround for a lot of people until it gets implemented. |
|
Just to expand on this, in case anybody still thinks that showing "verified by" is enough for most users and this shouldn't be high priority: anybody can go out and register Worse, plenty of major companies do buy and use other TLDs -- I came to this issue because Asus sent me an email with a link to
and it's just not safe to use a browser that does not have this feature. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment was marked as resolved.
This comment was marked as resolved.
|
I don't understand how the lack of a core security functionality in a browser that used to bill itself as one of the most secure could be considered "not a priority" Being able to view detailed certificate information, not just who issued it, is critical to the functionality of the HTTPS and SSL trust model. And the fact that this "feature request" is over a year old is proof of how far Mozilla has fallen. It is truly sad. |
|
I try to keep a civil tone, and I generally disapprove of people feeling entitled to whatever feature they want from an open-source project when people are volunteering their time to maintain it. But this is actually a really big deal. Like Dreki, I also am genuinely sad that Firefox -- the browser to beat when the internet came into its own in the early 2000s, the one we all rallied around in the bad old days when IE set the standards -- that Firefox has glaring omissions like this one. I understand the negative reaction, it's really frustrating that I feel stuck with Chrome, because every time I try to switch back to FF I run into a problem like this one, and I either find an issue marked "wontfix", or an open ticket with no activity for several years. (My record for this exact situation is 14 years.) |
|
Are there any updates on this? Edit: Related reading https://www.ise.io/casestudies/fighting-back-against-ssl-inspection-or-how-ssl-should-work/index.html It seems like we are losing control or knowledge over things like what root CAs or sub CAs, certificate chains and now we are just supposed to trust and not ask questions about how the security of our personal data was verified. |
|
Just thought I would provide more examples of why this egregious security oversight that is "not a priority" should probably be fixed. https://community.letsencrypt.org/t/using-bgp-to-acquire-bogus-tls-certificates/38627 Just to be clear "verified by" provides exactly zero protection against this attack. Core security functionality has now been missing from Firefox mobile(and most other mobile browsers) for over two years |
|
I generally agree that FF still needs to implement this feature, but the article you linked to describes an issue that the user agent simply can't address. No browser on desktop or mobile is going to show the user the CA chain used by every CDN server that contributed resources to the page, and of course no user is going to check all of them manually on every page load. The article is right that more secure DNS (and IMHO broad adoption of certificate pinning) would solve the fundamental problem, moreso than anything the browser could do. (At least you can probably answer your previous question about whether your connection is being inspected by your workplace now, since they added "Verified By" at some point.) |
|
Moved to bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1813945 Change performed by the Move to Bugzilla add-on. |
Why/User Benefit/User Problem
User Story
As a user, I want to be able to view the site certification, so I have more control and transparency over my browsing experience.
Dependencies:
Acceptance Criteria
-I can view the certificate for each site that I browse.
┆Issue is synchronized with this Jira Story
The text was updated successfully, but these errors were encountered: