Opened 7 years ago

Closed 6 years ago

#5534 closed defect (fixed)

Browse cannot connect to sites with non-standard Certificate Authorities

Reported by: cscott Owned by: erikos
Priority: high Milestone: 8.2.0 (was Update.2)
Component: browse-activity Version:
Keywords: relnote Cc: chihyu, cscott, cjb, blizzard@…, rharrison, katie, byte, vorburger, sph0lt0n
Blocked By: #5487 Blocking: #7421
Deployments affected: Action Needed: never set
Verified: no

Description

Browse's security settings are set to 'maximum paranoid' -- which means, however, that there is no way to connect to several gated networks, which require you to register your machine via an SSL page before they will let you connect. MIT's network is administered this way, for example: you need to connect to https://nic.mit.edu:444 to register, but all of MIT's sites have certificates signed by MIT's own Certificate Authority, so Web won't let you connect, and thus won't let you register.

I've seen this on other gated networks as well.

Change History (38)

comment:1 Changed 7 years ago by erikos

  • Keywords Update.1? added
  • Milestone Update.1 deleted

Scott please mark it first Update.1? to get it triaged right, even so you think this should be in Update.1.

comment:2 Changed 7 years ago by AlbertCahalan

From the UI and security points of view, such sites need to be treated exactly like non-SSL sites. (no security icon, no warning, etc.)

On the network of course, you do SSL to make the web server happy.

comment:3 Changed 7 years ago by marco

  • Resolution set to duplicate
  • Status changed from new to closed

I think this is due to #5487.

comment:4 Changed 7 years ago by cscott

  • Blocked By 5487 added
  • Resolution duplicate deleted
  • Status changed from closed to reopened

I'm reopening, because this should be verified independently of 5487. This is what the 'blocked by' field is for.

comment:5 Changed 7 years ago by marco

#5487 doesn't actually fix this. Looks like security UI is changed. I'll have to look into it.

comment:6 Changed 7 years ago by sj

See also #542.

comment:7 Changed 7 years ago by kimquirk

  • Milestone set to Retriage, Please!
  • Priority changed from normal to high

Moving this to higher priority and asking for triage/discussion. Seems pretty important to me.

comment:8 Changed 7 years ago by jg

The question in my mind is there a configuration option we can set to be less paranoid... It's probably too late to be hacking code...

comment:9 Changed 7 years ago by jg

  • Cc cscott cjb blizzard@… added

Chris, Scott; do you have ideas?

comment:11 Changed 7 years ago by marco

Testing with the latest firefox I get a different UI which doesn't depend on the preference pane. That might work for us, but we won't know until we try it out.

comment:12 Changed 7 years ago by marco

Nope, that UI is firefox specific and embedder doesn't get it. So we will to implement our own UI here. I don't think this can happen for u.1.

comment:13 Changed 7 years ago by jg

  • Keywords relnote added; Update.1? removed
  • Milestone changed from Retriage, Please! to Update.2

Sigh... I agree.

comment:14 follow-up: Changed 7 years ago by Russell McOrmond

I am wondering if there is a temporary workaround? I thought that installing the relevant Root certificate would do the trick. Many of the sites I'm wanting to access are using cacert.org signed certificates. Unfortunately going to the relevant "Root Certificate" page at http://www.cacert.org/index.php?id=3 doesn't offer me anything. Clicking on the PEM file doesn't seem to do anything -- clicking on the DER file caused a file to be downloaded, but doesn't do anything when I open it.

Hopefully this bug tracking system will send notifications so I will know when to test/etc.

comment:15 Changed 7 years ago by chihyu

  • Cc chihyu added

comment:16 Changed 7 years ago by rharrison

  • Cc rharrison added

comment:17 in reply to: ↑ 14 ; follow-up: Changed 7 years ago by cnoocy

Replying to Russell McOrmond:

I am wondering if there is a temporary workaround?

Apparently copying the certs.db file from a computer that has successfully accessed the self-signed site to the XO works around this problem. cscott can confirm.

comment:18 Changed 7 years ago by katie

  • Cc katie added

comment:19 in reply to: ↑ 17 Changed 7 years ago by chihyu

The workaround does not work with build 690. I copied cert8.db and key3.db from a Windows machine that had successfully accessed the site (https://nic.mit.edu:444) to the XO (under gecko), but still failed to register.

Replying to cnoocy:

Replying to Russell McOrmond:

I am wondering if there is a temporary workaround?

Apparently copying the certs.db file from a computer that has successfully accessed the self-signed site to the XO works around this problem. cscott can confirm.

comment:20 Changed 7 years ago by nealmcb

I ran into this problem at a wifi site that uses a captive portal with ssl and javascript and an expired certificate.

I wonder if there is a workaround with a different browser. E.g. you can yum install elinks, which has ssl support, though I don't know how it reacts to expired certificates. But it doesn't seem to have javascript, though it seems that that can be configured at build time. So it wouldn't work with captive wifi portals that require javascript.

I don't know the current story on other fedora text-mode browsers with ssl and javascript support. w3m might also be able to do both, but it also doesn't seem to be built with javascript. Or at least this page doesn't seem to work:
http://www.javascriptsearch.com/scripts/Utilities/javascript_test.html

comment:21 Changed 7 years ago by byte

I notice this error (sec_error_unknown_issuer) even when accessing websites that have a valid security certificate (the site in particular uses RC4 128 bit encryption, with VeriSign signing the certificate). It is however, the web URI for the Microsoft ISA Server 2006 (which a lot of schools in Australia use).

Loading in Firefox shows the certificate to be valid. Loading on the OLPC, tells me otherwise and there is no "workaround" - i.e. I can't add an exception, seeing that I can't go to the advanced encryption settings

comment:22 Changed 7 years ago by byte

  • Cc byte added

comment:23 Changed 7 years ago by vorburger

  • Cc vorburger added

comment:24 Changed 7 years ago by cscott

Copying the certs file from an existing machine does work with whatever update.1 build was current as of January 15. I'm not terribly surprised that it doesn't work with the certs file from a Windows machine, since it is a gross and evil hack. Be careful you're overwriting the correct copy of the certs file: Browse has a copy inside the activity which is used to create an appropriate certs file in the profile on first start up. Overwriting the copy in the activity only works if you've never launched Browse on that particular machine before; otherwise you need to hunt down the copy in the activities instance directory.

RC4 128-bit is pretty insecure -- see Wikipedia for one long list of flaws found in RC4 -- I wouldn't be terribly surprised to find that it wasn't on SSL's default accept list anymore. byte, could you supply a URL which uses the certificate in question, to allow us to investigate?

comment:25 Changed 7 years ago by byte

Hi cscott, thanks for responding quickly - a URL in question can be https://mail.ggs.vic.edu.au/

Many other Victorian schools use a similar configuration, from what I've noted (sadly, all broken, Microsoft based email systems)

comment:26 Changed 7 years ago by cscott

Well, that mail.ggs.vic.edu.au certificate is flagged as problematic in Firefox on my Debian Linux box, so it's not an XO-specific problem.

comment:27 Changed 7 years ago by winnie

is there a progress? it's quite annoying to be not able to see self-signed websites.

Thanks for your work!

comment:28 Changed 7 years ago by cjb

I'd like to propose this as blocker for our next release (8.2.0).

comment:29 Changed 7 years ago by sph0lt0n

  • Cc sph0lt0n added

comment:30 Changed 7 years ago by cscott

I second the nomination. Should this be reassigned?

comment:31 Changed 6 years ago by cscott

  • Blocking 7421 added

comment:32 Changed 6 years ago by erikos

  • Action Needed set to never set

This works fine for me in joyride 2107 which contains the latest version of hulahop which is needed and with the latest version of browse Web-91. I tested with https://nic.mit.edu:444 with https://mozilla.org and with linuxtag.org/vcc.

The interface to add exceptions is the same F3 is using.

comment:33 Changed 6 years ago by erikos

  • Resolution set to fixed
  • Status changed from reopened to closed

comment:34 Changed 6 years ago by cjb

  • Milestone 8.2.0 (was Update.2) deleted

Great news. Thanks!

comment:35 Changed 6 years ago by cjb

  • Milestone set to 8.2.0 (was Update.2)

comment:36 Changed 6 years ago by sph0lt0n

I'd like to see your test plan. Where is it documented?

comment:37 Changed 6 years ago by lcl

  • Resolution fixed deleted
  • Status changed from closed to reopened

This is a slightly different issue than the above, but it's closely enough related that I think it makes sense to re-open the extant case.

I'm currently using an unlocked XO running Build 759, Sugar 0.82 and Firmware Q2E15. I'm having trouble installing MIT certificates. The last time I tried, it hung indefinitely (over half an hour). This time I'm documenting the process as I go along in order to give more detail:
From http://web.mit.edu/ist/topics/certificates choose Get MIT CA (Certificate Authority).
A rainbow-daemon window pops up. I view the certificate (it's correct). Note that the graphics of the tabs are overlapping badly, but that's something I can live with. I hit the X on the upper right corner to close the front window, check all three boxes to trust sites, users and developers, then click OK. There's a pause (at 9:31:25). A minute later I hit OK again. The OK blinks but nothing else happens. OK, let's try hitting enter since the choice is highlighted... nothing at all, not even a shift in the text color. Is it possible I managed to get this installed previously? We're not in Kansas anymore, and I don't know how to check for installed certificates on this incarnation of Firefox. OK, let's proceed to the Personal Certificate, assuming that the prerequisite CA is already installed. Follow the link, enter appropriate information (Kerberos name, password, and MIT ID). Click submit. It goes to the Generate a Private Key page. Leave Key Size and Certificate Lifetime at defaults, click on Next. It's a few seconds before 9:42. A rainbow-daemon window pops up with the standard alert: "Key Generation in progress... This may take a few minutes... <blink>Please wait...</blink>
And that's as far as it gets. 9:52 - that's enough hang time, so to speak. Terminating.

comment:38 Changed 6 years ago by marco

  • Resolution set to fixed
  • Status changed from reopened to closed

Certificates are working in general, please open a separate ticket about this issue.

Note: See TracTickets for help on using tickets.