info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
"strong security" means Firefox no longer "works"
49 views
Skip to first unread message
Anil Gulati
Sep 8, 2015, 7:21:50 PM9/8/15
to evang...@lists.mozilla.org
Dear Moz Evangelism, I'm a looong time Firefox user and love it.
Currently I'm losing it.
I want to ask about Firefox security implementation, possibly HSTS?
Firefox seems to implement strict-er security in comparison to Chrome.
Our IT department have been making changes to implement SSO including
using a SAML identity provider with Google services.
>From the perspective of our ICT support it's been starting to look
like Firefox doesn't work. We've gone from Firefox as the recommended
browser, to Chrome being recommended, and today I've got a support
request open because I can't use Firefox at all. There is a risk that
Firefox will become unsupported in our organisation simply because
Chrome implements looser security, but at least it "works".
This doesn't look like a simple problem to solve. I'm not sure of the
details but we seem to be forwarding SSL certs from outside our
network and then they look like they're issued by us. Some sites allow
a security exception to be recorded. Others just don't. You can either
press the "Get me out of here button" or just sit there reading the
error message. I can't even access MDN using FF.
I'm writing to evangelism because I believe this is an issue for lots
of people and could be damaging the market share of the world's best
browser. Can you help me respond to my ICT department to make FF work?
It's hard to evangelise FF when it doesn't "work".
MDN:
Secure Connection Failed
The connection to developer.mozilla.org was interrupted while the page
was loading.
The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
This Connection is Untrusted
Google:
You have asked Firefox to connect securely to mail.google.com, but we
can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place.
However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could
mean that someone is trying to impersonate the site, and you shouldn't
continue.
This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible
to add an exception for this certificate.
Get me out of here!
Technical Details
mail.google.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: sec_error_unknown_issuer)
Currently I'm losing it.
I want to ask about Firefox security implementation, possibly HSTS?
Firefox seems to implement strict-er security in comparison to Chrome.
Our IT department have been making changes to implement SSO including
using a SAML identity provider with Google services.
>From the perspective of our ICT support it's been starting to look
like Firefox doesn't work. We've gone from Firefox as the recommended
browser, to Chrome being recommended, and today I've got a support
request open because I can't use Firefox at all. There is a risk that
Firefox will become unsupported in our organisation simply because
Chrome implements looser security, but at least it "works".
This doesn't look like a simple problem to solve. I'm not sure of the
details but we seem to be forwarding SSL certs from outside our
network and then they look like they're issued by us. Some sites allow
a security exception to be recorded. Others just don't. You can either
press the "Get me out of here button" or just sit there reading the
error message. I can't even access MDN using FF.
I'm writing to evangelism because I believe this is an issue for lots
of people and could be damaging the market share of the world's best
browser. Can you help me respond to my ICT department to make FF work?
It's hard to evangelise FF when it doesn't "work".
MDN:
Secure Connection Failed
The connection to developer.mozilla.org was interrupted while the page
was loading.
The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
This Connection is Untrusted
Google:
You have asked Firefox to connect securely to mail.google.com, but we
can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place.
However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could
mean that someone is trying to impersonate the site, and you shouldn't
continue.
This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible
to add an exception for this certificate.
Get me out of here!
Technical Details
mail.google.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: sec_error_unknown_issuer)
Dan Callahan
Sep 9, 2015, 3:35:57 PM9/9/15
to Anil Gulati, evang...@lists.mozilla.org
Hi Anil,
Thank you for reaching out; we'd be happy to work with whomever is
appropriate in your organization to make sure you get this working.
Firefox and Chrome should have identical behavior with regard to sites
protected by HSTS and HPKP. In this screenshot, you can see that Chrome
also does not allow the user to bypass certificate errors on certain
domains: http://i.imgur.com/zPecZ9o.png
This is actually part of the HSTS specification, section 12.1, which states
that "if a web application issues an HSTS Policy, then it is implicitly
opting into the 'no user recourse' approach, whereby all certificate errors
or warnings cause a connection termination, with no chance to 'fool' users
into making the wrong decision and compromising themselves":
https://tools.ietf.org/html/rfc6797#page-30
You can, however, manually add your proxy's root certificate to the
browser's trust store, which will instruct Firefox to trust it even when it
contradicts HSTS or HPKP information.
On an individual basis, you can do this in Preferences -> Advaned ->
Certificates -> View Certificates -> Authorities -> Import. For automated
solutions, look into the details on
https://wiki.mozilla.org/CA:AddRootToFirefox
Again, Firefox and Chrome should behave identically with regard to HSTS. If
Chrome is working and Firefox is not, it's likely because the proxy's root
certificate wasn't added to Firefox's database. Look for it in the "View
Certificates -> Authorities" dialog mentioned above.
For proof that this is possible, after importing a locally created
certificate, I'm able to visit google using my own certificate, and without
triggering any warnings: http://i.imgur.com/9cnqJru.png
Thank you for reaching out,
-Dan
> _______________________________________________
> Evangelism mailing list
> Evang...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/evangelism
>
Thank you for reaching out; we'd be happy to work with whomever is
appropriate in your organization to make sure you get this working.
Firefox and Chrome should have identical behavior with regard to sites
protected by HSTS and HPKP. In this screenshot, you can see that Chrome
also does not allow the user to bypass certificate errors on certain
domains: http://i.imgur.com/zPecZ9o.png
This is actually part of the HSTS specification, section 12.1, which states
that "if a web application issues an HSTS Policy, then it is implicitly
opting into the 'no user recourse' approach, whereby all certificate errors
or warnings cause a connection termination, with no chance to 'fool' users
into making the wrong decision and compromising themselves":
https://tools.ietf.org/html/rfc6797#page-30
You can, however, manually add your proxy's root certificate to the
browser's trust store, which will instruct Firefox to trust it even when it
contradicts HSTS or HPKP information.
On an individual basis, you can do this in Preferences -> Advaned ->
Certificates -> View Certificates -> Authorities -> Import. For automated
solutions, look into the details on
https://wiki.mozilla.org/CA:AddRootToFirefox
Again, Firefox and Chrome should behave identically with regard to HSTS. If
Chrome is working and Firefox is not, it's likely because the proxy's root
certificate wasn't added to Firefox's database. Look for it in the "View
Certificates -> Authorities" dialog mentioned above.
For proof that this is possible, after importing a locally created
certificate, I'm able to visit google using my own certificate, and without
triggering any warnings: http://i.imgur.com/9cnqJru.png
Thank you for reaching out,
-Dan
> Evangelism mailing list
> Evang...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/evangelism
>
Anil Gulati
Sep 10, 2015, 7:28:07 PM9/10/15
to Dan Callahan, evang...@lists.mozilla.org
Thanks very much, Dan. I'm happy to follow etiquette in terms of where I
get technical advice, and I am receiving advice from
mozilla.dev.security.policy that agrees with your advice that both Chrome
and Firefox need another root certificate. Apparently Chrome references the
OS store but Firefox has it's own database.
However, I have obtained the same certificate that IT packaged for install
in the OS for Chrome (and works for Chrome) and imported it as an Authority
certificate and as a Server certificate into Firefox, but with no effect on
the issue. It looks like the problem is that Firefox is harder for IT
departments to manage? Possibly Firefox quibbles more with certificate
correctness or fields required?
>From an evangelism perspective, hasn't this issue been of global interest?
I have seen posts in other locations that complain about Firefox being "too
secure". Has this unpopularity filtered through to Mozilla? Is there some
chance that Mozilla may be being too hard headed and too far head of the
curve on security implementation such that it's market share is being
significantly damaged due to just this issue (IT can't make it work
easily)? Or am I just uninformed or badly informed?
Regards
A
get technical advice, and I am receiving advice from
mozilla.dev.security.policy that agrees with your advice that both Chrome
and Firefox need another root certificate. Apparently Chrome references the
OS store but Firefox has it's own database.
However, I have obtained the same certificate that IT packaged for install
in the OS for Chrome (and works for Chrome) and imported it as an Authority
certificate and as a Server certificate into Firefox, but with no effect on
the issue. It looks like the problem is that Firefox is harder for IT
departments to manage? Possibly Firefox quibbles more with certificate
correctness or fields required?
>From an evangelism perspective, hasn't this issue been of global interest?
I have seen posts in other locations that complain about Firefox being "too
secure". Has this unpopularity filtered through to Mozilla? Is there some
chance that Mozilla may be being too hard headed and too far head of the
curve on security implementation such that it's market share is being
significantly damaged due to just this issue (IT can't make it work
easily)? Or am I just uninformed or badly informed?
Regards
A
a.gu...@tsc.nsw.edu.au
Sep 16, 2015, 7:28:38 PM9/16/15
to mozilla-e...@lists.mozilla.org
On Wednesday, 9 September 2015 09:21:50 UTC+10, Anil Gulati wrote:
> Dear Moz Evangelism, I'm a looong time Firefox user and love it.
> Currently I'm losing it.
>
> I want to ask about Firefox security implementation, possibly HSTS?
> Firefox seems to implement strict-er security in comparison to Chrome.
Dear Moz Evangelism
> Dear Moz Evangelism, I'm a looong time Firefox user and love it.
> Currently I'm losing it.
>
> I want to ask about Firefox security implementation, possibly HSTS?
> Firefox seems to implement strict-er security in comparison to Chrome.
I've followed up in dev.security.policy and actually fixed the problem: Firefox uses it's own certificate store unlike Chrome which references the OS. This makes Firefox harder to administer in an enterprise environment.
There seem to be other difficulties with managing security for Firefox in an enterprise environment and also but probably to a lesser extent domestically. I've found that in 3 years Firefox has gone from recommended browser in my organisation to practically unsupported with 1 user left, partly due to security difficulties. That's just one experience.
But it's not only us. Following links provided here someone says "Firefox was a nightmare to admin, I've spent days, but much easier now." Someone else says "Without CCK2, I wouldn't be packaging Firefox for Windows for enterprise deployment at all! It would simply be too hard to do." Not all IT departments are as committed to supporting Firefox. They just tell their users to run Chrome.
Looking at Firefox market share, even W3 schools, which I would expect to be a core Firefox stronghold, shows 2 points loss this half year and a slight S curve from almost 50% share in 2009, with 6 / 7 % losses per year from 2010 - 2012 and reliable minimum 3% loss per year since then, by this unrepresentative generous sampling method. Firefox is now down to 40% of it's 2009 share. That's 60% loss of original share over the last 6 years.
I know this is a complex issue. I'm just saying with respect to this particular _kind of issue_ (security management) it looks to me like this could be one _kind of issue_ where known solutions exist and can be having a big influence on Firefox usage, significantly out of proportion to the effort and ability to fix them.
Has Mozilla evaluated the threat? It's hard to evangelise an unsupported browser. What's the vision for Firefox longer term? Is it a leading browser or a niche player like Opera?
0 new messages