Closed Bug 703024 Opened 13 years ago Closed 13 years ago

Back out bug 662996 (OCSP requests leak cookies) because of bug 701019

Categories

(Core :: Security: PSM, defect)

defect
Not set
major

Tracking

()

VERIFIED FIXED
mozilla9
Tracking Status
firefox8 --- affected
firefox9 + verified
firefox10 + verified
firefox11 + verified
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: briansmith, Assigned: mayhemer)

References

Details

(Keywords: privacy, verified-beta, Whiteboard: [qa!])

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #662996 +++ (In reply to Ruud van Melick from bug 701019 comment 0) > Created attachment 573192 [details] > Firefox 8 - HTTP headers captured with Live HTTP Headers add-on > > Visit http://bankieren.rabobank.nl/klanten/ > This website uses an EV-certificate. > > After upgrading Firefox to version 8 (previous version 7.0.1) the site > identity button is blue instead of green. > > If I enable this preference: advanced => encryption => validation => "When > an OCSP server connection fails, treat the certificate as invalid", then I > get this error message when visiting the website: > sec_error_ocsp_bad_http_response > > Looking at the HTTP headers, this seems related to the fact that the OCSP > request is rejected by our proxy server due to lack of authentication. This > does not happen when using Firefox 7.0.1 (not all computers have been > upgraded to Firefox 8 yet).
OCSP doesn't work when the user is going through an authenticating HTTP proxy. Either we will silently ignore the OCSP failure (default behavior), or almost every HTTPS site will stop working for said user.
Do you have arguments why to back this out rather then fix the actual bug 701019? I still miss it and therefor I'm strongly against.
1. We should do this as ridealone to any 8.0.2 release. I don't think we should land anything more complicated than the backout for 8.0.2. 2. Similarly, I don't think we should land a fix for 701019 on mozilla-beta, but we should fix the regression for mozilla-beta. 3. More generally, it isn't clear that we can just change what LOAD_ANONYMOUS means yet, I don't have time to think about that right now, but we should fix the regression ASAP on mozilla-central and mozilla-aurora.
(In reply to Brian Smith (:bsmith) from comment #1) > OCSP doesn't work when the user is going through an authenticating HTTP > proxy. Brian, this really surprises me. The whole motiviation for the addition of the SSL thread had been done in order to support OCSP trough proxies, and the last time I had tested that used to work. Why do you think it doesn't work? Have you tested it? In particular, which is the oldest version where this regressed?
Thanks Brian. Now I understand. I had to take a look at the target milestone of bug 662996 first. I agree now. I'll have a patch for this soon.
Attached patch v1 (deleted) — Splinter Review
Commenting out the code added in bug 662996. Kai, the regression we are trying to quickly fix here is that an OCSP request cannot go with the LOAD_ANONYMOUS flag set through a proxy requiring authentication. It causes blue larry for EV certs. This regressed in Firefox 8 for which bug 662996 has landed. This will be fully fixed in bug 701019 because there are also other issues caused by incorrect behavior of LOAD_ANONYMOUS flag (as I see it). That fix needs a security review first and is expected to be too risky for Aurora, Beta, Release.
Attachment #574972 - Flags: review?(kaie)
Attachment #574972 - Flags: review?(kaie) → review+
Attachment #574972 - Flags: approval-mozilla-beta?
Attachment #574972 - Flags: approval-mozilla-aurora?
Target Milestone: --- → mozilla11
Comment on attachment 574972 [details] [diff] [review] v1 [Triage Comment] For anybody just joining us, this is basically a full backout of bug 662996 (albeit by commenting out the change). Approving for Aurora/Beta, pending landing on m-c first. Please land this ASAP to make it into today's build.
Attachment #574972 - Flags: approval-mozilla-beta?
Attachment #574972 - Flags: approval-mozilla-beta+
Attachment #574972 - Flags: approval-mozilla-aurora?
Attachment #574972 - Flags: approval-mozilla-aurora+
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [qa+]
I have tried this with https://www.verisign.com on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6 Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6 Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6 The secure connection notification appears. Setting resolution to Verified Fixed on Beta.
Keywords: verified-beta
Whiteboard: [qa+] → [qa+][qa!:9]
I have tried this using the link from the description and the secure notification is present (green site's identity button). I get no error with the pref activated: "When an OCSP server connection fails, treat the certificate as invalid". (it's deactivated by default) Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6 Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6 Setting resolution to Verified Fixed.
Whiteboard: [qa+][qa!:9] → [qa+][qa!:9][qa!:10]
Marking as fixed for Firefox 11 since this landed while 11 was on m-c.
Setting this Verified Fixed on Firefox 11 beta on Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3 Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3 I've followed the steps from comment11 and comment12 the secure notification is present (green site's identity button) and also I get no error with the pref activated: "When an OCSP server connection fails, treat the certificate as invalid". (it's deactivated by default)
Status: RESOLVED → VERIFIED
Whiteboard: [qa+][qa!:9][qa!:10] → [qa!]
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: