Bug 1484246 - Part 1 - Add more explanation to certificate errors caused by Symantec distrust. r=Gijs,keeler

Differential Revision: https://phabricator.services.mozilla.com/D3877 --HG-- extra : rebase_source : 0f45bb71e4e2d9437c687a991c55f33ab492b7bf
2018-08-21 15:04:02 +02:00 · 2018-08-21 15:04:02 +02:00 · a05ff7f01f
commit a05ff7f01f
parent 3976d04ec7
3 changed files with 37 additions and 0 deletions
--- a/browser/actors/NetErrorChild.jsm
+++ b/browser/actors/NetErrorChild.jsm
@ -42,6 +42,7 @@ const SEC_ERROR_OCSP_INVALID_SIGNING_CERT          = SEC_ERROR_BASE + 144;
 const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED  = SEC_ERROR_BASE + 176;
 const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 5;
 const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = MOZILLA_PKIX_ERROR_BASE + 6;
+const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = MOZILLA_PKIX_ERROR_BASE + 13;
 const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT          = MOZILLA_PKIX_ERROR_BASE + 14;
 const MOZILLA_PKIX_ERROR_MITM_DETECTED             = MOZILLA_PKIX_ERROR_BASE + 15;

@ -146,6 +147,11 @@ class NetErrorChild extends ActorChild {
        case MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
          msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_SelfSigned") + "\n";
          break;
+        // This error code currently only exists for the Symantec distrust, we may need to adjust
+        // it to fit other distrusts later.
+        case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+          msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_Symantec", [hostString], 1) + "\n";
+          break;
        default:
          msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
      }
@ -365,6 +371,26 @@ class NetErrorChild extends ActorChild {
        updateContainerPosition();
        break;

+      // This error code currently only exists for the Symantec distrust
+      // in Firefox 63, so we add copy explaining that to the user.
+      // In case of future distrusts of that scale we might need to add
+      // additional parameters that allow us to identify the affected party
+      // without replicating the complex logic from certverifier code.
+      case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
+        let description = gPipNSSBundle.formatStringFromName(
+          "certErrorSymantecDistrustDescription", [doc.location.hostname], 1);
+        let descriptionContainer = doc.getElementById("errorShortDescText2");
+        descriptionContainer.textContent = description;
+
+        let adminDescription = doc.createElement("p");
+        adminDescription.textContent =
+          gPipNSSBundle.GetStringFromName("certErrorSymantecDistrustAdministrator");
+        descriptionContainer.append(adminDescription);
+
+        learnMoreLink.href = baseURL + "symantec-warning";
+
+        updateContainerPosition();
+        break;
      case MOZILLA_PKIX_ERROR_MITM_DETECTED:
      case MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
        learnMoreLink.href = baseURL + "security-error";
--- a/browser/base/content/aboutNetError.xhtml
+++ b/browser/base/content/aboutNetError.xhtml
@ -114,6 +114,11 @@
          <div id="errorShortDesc">
            <p id="errorShortDescText" />
          </div>
+
+          <div id="errorShortDesc2">
+              <p id="errorShortDescText2" />
+          </div>
+
          <p id="badStsCertExplanation" hidden="true">&certerror.whatShouldIDo.badStsCertExplanation;</p>

          <div id="wrongSystemTimePanel">
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@ -287,6 +287,8 @@ certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because
 certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
 certErrorTrust_Untrusted=The certificate does not come from a trusted source.
 certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
+# LOCALIZATION NOTE (certErrorTrust_Symantec): %S is replaced by the domain for which the certificate is valid
+certErrorTrust_Symantec=The security certificate for %S is not trustworthy because the issuing organization failed to follow security practices. Certificates issued by Symantec, including the Thawte, GeoTrust, and RapidSSL brands, are not considered safe.

 certErrorMismatch=The certificate is not valid for the name %S.
 # LOCALIZATION NOTE (certErrorMismatch1, certErrorMismatchSinglePrefix1, certErrorMismatchMultiple1): %1$S is replaced by the brand name, %2$S is replaced by host name.
@ -306,6 +308,10 @@ certErrorExpiredNow1=Websites prove their identity via security certificates, wh
 certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
 certErrorNotYetValidNow1=Websites prove their identity via security certificates, which are valid for a set time period. The security certificate for %S appears to be not yet valid.

+# LOCALIZATION NOTE (certErrorSymantecDistrustDescription): %S will be replaced by the domain for which the certificate is valid.
+certErrorSymantecDistrustDescription=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers will no longer trust Symantec, the certificate authority for %S.
+certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.
+
 # LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.
 certErrorCodePrefix3=Error code: %S