https:// secured on one browser, but not the other?
I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked. This caught me off guard because when I sign in to that particular website in with Firefox, it was marked with a green padlock as secured.
I tried to check the credentials with SHAAAAA and Google: so far, with Google, the Certificate is trustworthy and didn't supply "Certificate Transparency information" (?). They also told me that the certificate is extremely outdated and won't expire until July 2017; that my info my be vulnerable. That the certificate chain contains signatures using SHA-1. The website is encrypted with obsolete cipher suite (?), uses TLS 1.2 connection, and ECDHE-RSA for key exchange (?).
With SHAAAAA, the SSL 3 is insecure, the Signature is overall weak (SHA1withRSA 128), RC4 is insecure, but the certificate and website is legit and trusted.
With FireFox, though, and IE, I see a green padlock, that it's secured. I don't know what is wrong? I also contacted the school, and the website is legit and not manipulated. Should I report this to the school, and is my info still safe? I used Chrome with my home WiFi, and outside incognito.
Chosen solution
Hi Anoniie, yes, Chrome is doing something different than Firefox here. (Screenshot from Chrome attached for reference.)
With the default settings, Firefox is only providing a warning for the site's developer in the Web Console, and not treating this as a security emergency:
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. [Learn More]
Is Firefox wrong? I think Mozilla is just moving a little more slowly to start rejecting certificates signed with the SHA-1 hashing algorithm (hashing is used to make encrypted text hard to reverse back to the original text).
- Firefox now only rejects new certificates issued after Jan. 1, 2016 signed with SHA-1: that does not apply to this site, since its certificate was issued in 2011
- Firefox and other major browsers should uniformly reject this and other SHA-1 certificates starting no later than Jan. 1, 2017, so the site does need to put a replacement cert in place by then or they will be in big trouble -- Google apparently couldn't wait
All Replies (6)
Hi Anoniie, this question is a little difficult to answer. If Firefox displayed a green lock, the server satisfied Firefox's connection requirements. It's possible to lower the standard requirements by going into about:config and modifying some settings. Most likely you haven't done that, but I'll suggest how to check on that at the end.
In this part --
I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked.
-- what do you mean by "it was red marked"? Is it one of the icons displayed in this article:
How do I tell if my connection to a website is secure?
For example:
To check your Firefox settings:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste TLS and pause while the list is filtered
(3) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.
If you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.
(4) In the search box above the list, type or paste security.ss and pause while the list is filtered
(5) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.
It's okay to set these to false (this works around any servers that have not yet been fixed for the Logjam vulnerability):
- security.ssl3.dhe_rsa_aes_128_sha => false
- security.ssl3.dhe_rsa_aes_256_sha => false
Again, if you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.
(6) In the search box above the list, type or paste mixed and pause while the list is filtered
(7) Here are the normal settings for mixed content blocking:
- security.mixed_content.block_active_content => true
- security.mixed_content.block_display_content => false
Are either of those customized?
jscher2000 said
Hi Anoniie, this question is a little difficult to answer. If Firefox displayed a green lock, the server satisfied Firefox's connection requirements. It's possible to lower the standard requirements by going into about:config and modifying some settings. Most likely you haven't done that, but I'll suggest how to check on that at the end. In this part --I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked.-- what do you mean by "it was red marked"? Is it one of the icons displayed in this article:
How do I tell if my connection to a website is secure?
For example:
On Chrome the website is a red-striked padlock. They said that it's unsecured and the certificate is outdated (expired in 2017?) Yet, Firefox and Windows IE are marked as secure?
Also, I never made any changes to Firefox. You just now taught me the about:config :). Should I change something? I don't know for sure...
Anoniie said
On Chrome the website is a red-striked padlock. They said that it's unsecured and the certificate is outdated (expired in 2017?)
Does the address bar show https:// in all browsers -- in other words, is Chrome using the identical address?
Do you want to share the URL of that page?
Also, I never made any changes to Firefox. You just now taught me the about:config :). Should I change something?
Not if you don't know what you plan to accomplish and how to undo it if something goes wrong. :-)
jscher2000 said
Anoniie saidOn Chrome the website is a red-striked padlock. They said that it's unsecured and the certificate is outdated (expired in 2017?)Does the address bar show https:// in all browsers -- in other words, is Chrome using the identical address?
Do you want to share the URL of that page?
Also, I never made any changes to Firefox. You just now taught me the about:config :). Should I change something?Not if you don't know what you plan to accomplish and how to undo it if something goes wrong. :-)
Okay than!
Modified
Chosen Solution
Hi Anoniie, yes, Chrome is doing something different than Firefox here. (Screenshot from Chrome attached for reference.)
With the default settings, Firefox is only providing a warning for the site's developer in the Web Console, and not treating this as a security emergency:
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. [Learn More]
Is Firefox wrong? I think Mozilla is just moving a little more slowly to start rejecting certificates signed with the SHA-1 hashing algorithm (hashing is used to make encrypted text hard to reverse back to the original text).
- Firefox now only rejects new certificates issued after Jan. 1, 2016 signed with SHA-1: that does not apply to this site, since its certificate was issued in 2011
- Firefox and other major browsers should uniformly reject this and other SHA-1 certificates starting no later than Jan. 1, 2017, so the site does need to put a replacement cert in place by then or they will be in big trouble -- Google apparently couldn't wait