This forum is a discussion about improving the "Unable to access secure (HTTPS) sites in Firefox 43" article. If you'd like to participate, please register.

If you need help with Firefox, please ask a question.

Background for this article

  • 1 Replies
  • Last reply by AliceWyman
  1. AliceWyman 5189 posts
    Report Abuse

    https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/ Bug 1236975 Re-enable SHA-1 Certificates https://www.mozilla.org/firefox/43.0.4/releasenotes/


    http://logs.glob.uno/?c=mozilla%23sumo&s=8+Jan+2016&e=8+J...

    10:02 mgoodwin Hello #sumo. I work with the crypto engineering team and I've written an article for SUMO explaining the breakage some users experienced with Firefox 43 and some security scanner / antivirus products. 10:03 mgoodwin How do I get this published on SUMO? 10:03 daskarhu heyo 10:03 mgoodwin (I've done this a few times before - but infrequently enough that I always forget) 10:03 philipp mgoodwin: hi, somebody need to review it 10:03 philipp what's the link to the article? 10:04 mgoodwin philipp: text is here - https://public.etherpad-mozilla.org/p/SHA-1-MiTM 10:04 mgoodwin this was written by Richard Barnes and myself 10:05 mgoodwin (I have a couple of links to add) 10:06 philipp ok, i can put that text into a sumo article (but as i'm not a reviewer myself not get it published immediately) 10:06 philipp mgoodwin: do you have an account at sumo? 10:07 mgoodwin I think so 10:07 * mgoodwin attempts to log in 10:12 mgoodwin philipp: yes 10:13 philipp i need a few mins to add the article to sumo, afterwards you can look at it and edit it if need be 10:13 mgoodwin Thanks philipp 10:15 philipp mgoodwin: so how do xp users recover from this issue which aren't offered 43.0.4 as a direct download? 10:16 mgoodwin philipp: I'm unaware of why they wouldn't be offered that - perhaps it's a mistake? 10:16 * mgoodwin isn't sure who to ask about that 10:17 daskarhu 43.0.4 looks to be up on https://www.mozilla.org/en-US/firefox/all/#en-GB 10:18 philipp another sha-1 issue (this time for the codesigning requirements in newer versions of windows, which isn't compatible with xp sp2): https://support.mozilla.org/en-US/kb/get-latest-version-firefox-windows-xp-vista 10:19 philipp daskarhu: xp & vista users are offered 43.0.1 though afaik 10:19 daskarhu huh :| 10:19 philipp let me get the bug 10:20 daskarhu surely any XP user should hav SP3 10:20 daskarhu "the latest installers for Firefox require Windows XP with Service Pack 3 (SP3)" 10:21 philipp bug 1233779 10:21 firebot https://bugzil.la/1233779 — FIXED, nobody%mozilla.org — Don't serve Firefox 43.0.2 and higher to XP SP2 users 10:21 Noah daskarhu: actually sp2 is the minimum requirement 10:21 philipp and bug 1235440 10:21 firebot https://bugzil.la/1235440 — FIXED, oremj%mozilla.com — bouncer: deploy 1.1.1 10:22 mgoodwin ugh. So if you're using 43.0.1 to 43.0.3 in XPsp2 behind a middlebox you're going to have to downgrade to 42 to get things working again? 10:22 daskarhu okay, apparently so 10:23 Noah but you would hope most had SP3 :P 10:24 philipp i hope 42.0 auto-updates directly to 43.0.4 10:25 daskarhu yeah, I mean, why NOT SP3? 10:25 Caspy7 if you haven't downloaded any other versions, I think it should opt for downloading the most recent release 10:26 Caspy7 which reminds me of the time they had a mismatch because there was a Mac only issue...or windows only 10:27 Noah daskarhu: hehe yup. only reason I can see is lack of hd space. And some scared of weird stability issues related to media center I think 10:28 daskarhu yeah, makes sense if you're weird enough to use XP 10:30 philipp mgoodwin: i've submitted https://support.mozilla.org/en-US/kb/sec_error_cert_signature_algorithm_disabled-error/revision/113850 10:36 philipp i think we should add switching the about:config pref as an alternative solution for xp users 10:38 mgoodwin philipp: I originally included this but Richard Barnes was against it: His reasoning "I think we should actually de-emphasize the about:config option, since this could cause problems in the future." 10:39 philipp we could also only show it for xp,vista users - because for me it looks they get auto updated to 43.0.1 from 42.0 and they are immediately trapped again 10:40 mgoodwin OK. Well I'm open to that. We can ping rbarnes for his input later when he's around

    https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/ [https://bugzilla.mozilla.org/show_bug.cgi?id=1236975 Bug 1236975 Re-enable SHA-1 Certificates] https://www.mozilla.org/firefox/43.0.4/releasenotes/ ----- [http://logs.glob.uno/?c=mozilla%23sumo&s=8+Jan+2016&e=8+Jan+2016] 10:02 mgoodwin Hello #sumo. I work with the crypto engineering team and I've written an article for SUMO explaining the breakage some users experienced with Firefox 43 and some security scanner / antivirus products. 10:03 mgoodwin How do I get this published on SUMO? 10:03 daskarhu heyo 10:03 mgoodwin (I've done this a few times before - but infrequently enough that I always forget) 10:03 philipp mgoodwin: hi, somebody need to review it 10:03 philipp what's the link to the article? 10:04 mgoodwin philipp: text is here - https://public.etherpad-mozilla.org/p/SHA-1-MiTM 10:04 mgoodwin this was written by Richard Barnes and myself 10:05 mgoodwin (I have a couple of links to add) 10:06 philipp ok, i can put that text into a sumo article (but as i'm not a reviewer myself not get it published immediately) 10:06 philipp mgoodwin: do you have an account at sumo? 10:07 mgoodwin I think so 10:07 * mgoodwin attempts to log in 10:12 mgoodwin philipp: yes 10:13 philipp i need a few mins to add the article to sumo, afterwards you can look at it and edit it if need be 10:13 mgoodwin Thanks philipp 10:15 philipp mgoodwin: so how do xp users recover from this issue which aren't offered 43.0.4 as a direct download? 10:16 mgoodwin philipp: I'm unaware of why they wouldn't be offered that - perhaps it's a mistake? 10:16 * mgoodwin isn't sure who to ask about that 10:17 daskarhu 43.0.4 looks to be up on https://www.mozilla.org/en-US/firefox/all/#en-GB 10:18 philipp another sha-1 issue (this time for the codesigning requirements in newer versions of windows, which isn't compatible with xp sp2): https://support.mozilla.org/en-US/kb/get-latest-version-firefox-windows-xp-vista 10:19 philipp daskarhu: xp & vista users are offered 43.0.1 though afaik 10:19 daskarhu huh :| 10:19 philipp let me get the bug 10:20 daskarhu surely any XP user should hav SP3 10:20 daskarhu "the latest installers for Firefox require Windows XP with Service Pack 3 (SP3)" 10:21 philipp bug 1233779 10:21 firebot https://bugzil.la/1233779 — FIXED, nobody%mozilla.org — Don't serve Firefox 43.0.2 and higher to XP SP2 users 10:21 Noah daskarhu: actually sp2 is the minimum requirement 10:21 philipp and bug 1235440 10:21 firebot https://bugzil.la/1235440 — FIXED, oremj%mozilla.com — bouncer: deploy 1.1.1 10:22 mgoodwin ugh. So if you're using 43.0.1 to 43.0.3 in XPsp2 behind a middlebox you're going to have to downgrade to 42 to get things working again? 10:22 daskarhu okay, apparently so 10:23 Noah but you would hope most had SP3 :P 10:24 philipp i hope 42.0 auto-updates directly to 43.0.4 10:25 daskarhu yeah, I mean, why NOT SP3? 10:25 Caspy7 if you haven't downloaded any other versions, I think it should opt for downloading the most recent release 10:26 Caspy7 which reminds me of the time they had a mismatch because there was a Mac only issue...or windows only 10:27 Noah daskarhu: hehe yup. only reason I can see is lack of hd space. And some scared of weird stability issues related to media center I think 10:28 daskarhu yeah, makes sense if you're weird enough to use XP 10:30 philipp mgoodwin: i've submitted https://support.mozilla.org/en-US/kb/sec_error_cert_signature_algorithm_disabled-error/revision/113850 10:36 philipp i think we should add switching the about:config pref as an alternative solution for xp users 10:38 mgoodwin philipp: I originally included this but Richard Barnes was against it: His reasoning "I think we should actually de-emphasize the about:config option, since this could cause problems in the future." 10:39 philipp we could also only show it for xp,vista users - because for me it looks they get auto updated to 43.0.1 from 42.0 and they are immediately trapped again 10:40 mgoodwin OK. Well I'm open to that. We can ping rbarnes for his input later when he's around
  2. AliceWyman 5189 posts
    Report Abuse

    More discussion: http://logs.glob.uno/?c=mozilla%23sumo&s=11+Jan+2016&e=11...

    17:22 philipp hey jsavage joni: mgoodwin requested that we do a sumo article friday last week... 17:22 philipp i copied the proposed text into https://support.mozilla.org/en-US/kb/sec_error_cert_signature_algorithm_disabled-error/history 17:23 philipp not sure if this is the correct procedure of if there should be bugs filed as well 17:24 jsavage philipp, thanks, i'll take a look 18:00 mgoodwin jsavage philipp joni: anything I can do to help? 18:02 jsavage mgoodwin, a technical review would be helpful. i'm pasting the article on a doc so you can leave comments/suggestions 18:03 mgoodwin jsavage: rbarnes and I wrote this article. Technically, it should be fine :) 18:03 philipp :-) 18:03 jsavage ah, ok, in that case, i think we're good to go 18:03 jsavage thanks! 18:04 philipp mgoodwin: i added a note for xp /vista users to switch the preference in case you or rbarnes want to double-check that: https://support.mozilla.org/en-US/kb/sec_error_cert_signature_algorithm_disabled-error/revision/113859#firefox:winxp:fx45 18:04 philipp i've confirmed with the release management team that those users will always get 43.0.1 served, so they have no way to update 18:05 philipp also, if they downloaded 42.0 they would be updated to 43.0.1 first & then they are trapped 18:06 Tonnes boo 18:06 Tonnes hiya 18:07 philipp jsavage: the long error message in the heading breaks our format^^ 18:07 jsavage philipp, we also have this article on what xp users can do to gt the latest vrsion: https://support.mozilla.org/en-US/kb/get-latest-version-firefox-windows-xp-vista 18:07 * mgoodwin reads 18:08 philipp jsavage: however those xp articles the sec_error_cert_signature_algorithm_disabled-error is geared towards can no longer run auto-updates once they are on 43.0-43.03 18:08 jsavage ah, gotcha 18:08 philipp *those xp users 18:09 mgoodwin philipp, jsavage, looks good to me 18:09 jsavage great, thanks for writing the article, mgoodwin and philipp 18:09 philipp mgoodwin: do you know if people need to restart the browser after toggling the security.pki.sha1_enforcement_level pref for it to take effect? 18:10 mgoodwin philipp: I do not. I suspect so, however. 18:10 jsavage philipp, i'd be hesitatnt to remove the error message from the title…might make the article less visible 18:10 mgoodwin David keeler would know for sure. Or we could test 18:10 mgoodwin philipp jsavage thanks for your help 18:11 jsavage thank you! 18:12 mgoodwin When can the article be published? 18:12 philipp ok, i'll add in an instruction to restart anyway just on that suspicion 18:12 jsavage it's already live 18:12 mgoodwin :D

    More discussion: [http://logs.glob.uno/?c=mozilla%23sumo&s=11+Jan+2016&e=11+Jan+2016] 17:22 philipp hey jsavage joni: mgoodwin requested that we do a sumo article friday last week... 17:22 philipp i copied the proposed text into https://support.mozilla.org/en-US/kb/sec_error_cert_signature_algorithm_disabled-error/history 17:23 philipp not sure if this is the correct procedure of if there should be bugs filed as well 17:24 jsavage philipp, thanks, i'll take a look 18:00 mgoodwin jsavage philipp joni: anything I can do to help? 18:02 jsavage mgoodwin, a technical review would be helpful. i'm pasting the article on a doc so you can leave comments/suggestions 18:03 mgoodwin jsavage: rbarnes and I wrote this article. Technically, it should be fine :) 18:03 philipp :-) 18:03 jsavage ah, ok, in that case, i think we're good to go 18:03 jsavage thanks! 18:04 philipp mgoodwin: i added a note for xp /vista users to switch the preference in case you or rbarnes want to double-check that: https://support.mozilla.org/en-US/kb/sec_error_cert_signature_algorithm_disabled-error/revision/113859#firefox:winxp:fx45 18:04 philipp i've confirmed with the release management team that those users will always get 43.0.1 served, so they have no way to update 18:05 philipp also, if they downloaded 42.0 they would be updated to 43.0.1 first & then they are trapped 18:06 Tonnes boo 18:06 Tonnes hiya 18:07 philipp jsavage: the long error message in the heading breaks our format^^ 18:07 jsavage philipp, we also have this article on what xp users can do to gt the latest vrsion: https://support.mozilla.org/en-US/kb/get-latest-version-firefox-windows-xp-vista 18:07 * mgoodwin reads 18:08 philipp jsavage: however those xp articles the sec_error_cert_signature_algorithm_disabled-error is geared towards can no longer run auto-updates once they are on 43.0-43.03 18:08 jsavage ah, gotcha 18:08 philipp *those xp users 18:09 mgoodwin philipp, jsavage, looks good to me 18:09 jsavage great, thanks for writing the article, mgoodwin and philipp 18:09 philipp mgoodwin: do you know if people need to restart the browser after toggling the security.pki.sha1_enforcement_level pref for it to take effect? 18:10 mgoodwin philipp: I do not. I suspect so, however. 18:10 jsavage philipp, i'd be hesitatnt to remove the error message from the title…might make the article less visible 18:10 mgoodwin David keeler would know for sure. Or we could test 18:10 mgoodwin philipp jsavage thanks for your help 18:11 jsavage thank you! 18:12 mgoodwin When can the article be published? 18:12 philipp ok, i'll add in an instruction to restart anyway just on that suspicion 18:12 jsavage it's already live 18:12 mgoodwin :D