We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

https:// secured on one browser, but not the other?

more options

I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked. This caught me off guard because when I sign in to that particular website in with Firefox, it was marked with a green padlock as secured.

I tried to check the credentials with SHAAAAA and Google: so far, with Google, the Certificate is trustworthy and didn't supply "Certificate Transparency information" (?). They also told me that the certificate is extremely outdated and won't expire until July 2017; that my info my be vulnerable. That the certificate chain contains signatures using SHA-1. The website is encrypted with obsolete cipher suite (?), uses TLS 1.2 connection, and ECDHE-RSA for key exchange (?).

With SHAAAAA, the SSL 3 is insecure, the Signature is overall weak (SHA1withRSA 128), RC4 is insecure, but the certificate and website is legit and trusted.

With FireFox, though, and IE, I see a green padlock, that it's secured. I don't know what is wrong? I also contacted the school, and the website is legit and not manipulated. Should I report this to the school, and is my info still safe? I used Chrome with my home WiFi, and outside incognito.

I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked. This caught me off guard because when I sign in to that particular website in with Firefox, it was marked with a green padlock as secured. I tried to check the credentials with SHAAAAA and Google: so far, with Google, the Certificate is trustworthy and didn't supply "Certificate Transparency information" (?). They also told me that the certificate is extremely outdated and won't expire until July 2017; that my info my be vulnerable. That the certificate chain contains signatures using SHA-1. The website is encrypted with obsolete cipher suite (?), uses TLS 1.2 connection, and ECDHE-RSA for key exchange (?). With SHAAAAA, the SSL 3 is insecure, the Signature is overall weak (SHA1withRSA 128), RC4 is insecure, but the certificate and website is legit and trusted. With FireFox, though, and IE, I see a green padlock, that it's secured. I don't know what is wrong? I also contacted the school, and the website is legit and not manipulated. Should I report this to the school, and is my info still safe? I used Chrome with my home WiFi, and outside incognito.

被采纳的解决方案

Hi Anoniie, yes, Chrome is doing something different than Firefox here. (Screenshot from Chrome attached for reference.)

With the default settings, Firefox is only providing a warning for the site's developer in the Web Console, and not treating this as a security emergency:

This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. [Learn More]

Is Firefox wrong? I think Mozilla is just moving a little more slowly to start rejecting certificates signed with the SHA-1 hashing algorithm (hashing is used to make encrypted text hard to reverse back to the original text).

  • Firefox now only rejects new certificates issued after Jan. 1, 2016 signed with SHA-1: that does not apply to this site, since its certificate was issued in 2011
  • Firefox and other major browsers should uniformly reject this and other SHA-1 certificates starting no later than Jan. 1, 2017, so the site does need to put a replacement cert in place by then or they will be in big trouble -- Google apparently couldn't wait
定位到答案原位置 👍 2

所有回复 (6)

more options

Hi Anoniie, this question is a little difficult to answer. If Firefox displayed a green lock, the server satisfied Firefox's connection requirements. It's possible to lower the standard requirements by going into about:config and modifying some settings. Most likely you haven't done that, but I'll suggest how to check on that at the end.

In this part --

I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked.

-- what do you mean by "it was red marked"? Is it one of the icons displayed in this article:

How do I tell if my connection to a website is secure?

For example:

more options

To check your Firefox settings:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste TLS and pause while the list is filtered

(3) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.

If you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.

(4) In the search box above the list, type or paste security.ss and pause while the list is filtered

(5) If you have any non-default settings (typically bolded and having a status of "user set"), you can make a note of the values in case they turn out to be important for some other reason, then right-click > Reset each prefer to its default value.

It's okay to set these to false (this works around any servers that have not yet been fixed for the Logjam vulnerability):

  • security.ssl3.dhe_rsa_aes_128_sha => false
  • security.ssl3.dhe_rsa_aes_256_sha => false

Again, if you have any locked preferences (typically italicized), you may have an external lock file modifying your Firefox configuration.

(6) In the search box above the list, type or paste mixed and pause while the list is filtered

(7) Here are the normal settings for mixed content blocking:

  • security.mixed_content.block_active_content => true
  • security.mixed_content.block_display_content => false

Are either of those customized?

more options

jscher2000 said

Hi Anoniie, this question is a little difficult to answer. If Firefox displayed a green lock, the server satisfied Firefox's connection requirements. It's possible to lower the standard requirements by going into about:config and modifying some settings. Most likely you haven't done that, but I'll suggest how to check on that at the end. In this part --
I recently filled in some personal info from a website that was marked https:// (school website). After submitting I found out that it was red marked.

-- what do you mean by "it was red marked"? Is it one of the icons displayed in this article:

How do I tell if my connection to a website is secure?

For example:

On Chrome the website is a red-striked padlock. They said that it's unsecured and the certificate is outdated (expired in 2017?) Yet, Firefox and Windows IE are marked as secure?

Also, I never made any changes to Firefox. You just now taught me the about:config :). Should I change something? I don't know for sure...

more options

Anoniie said

On Chrome the website is a red-striked padlock. They said that it's unsecured and the certificate is outdated (expired in 2017?)

Does the address bar show https:// in all browsers -- in other words, is Chrome using the identical address?

Do you want to share the URL of that page?

Also, I never made any changes to Firefox. You just now taught me the about:config :). Should I change something?

Not if you don't know what you plan to accomplish and how to undo it if something goes wrong. :-)

more options

jscher2000 said

Anoniie said
On Chrome the website is a red-striked padlock. They said that it's unsecured and the certificate is outdated (expired in 2017?)

Does the address bar show https:// in all browsers -- in other words, is Chrome using the identical address?

Do you want to share the URL of that page?

Also, I never made any changes to Firefox. You just now taught me the about:config :). Should I change something?

Not if you don't know what you plan to accomplish and how to undo it if something goes wrong. :-)


Okay than!

由user1354079于修改

more options

选择的解决方案

Hi Anoniie, yes, Chrome is doing something different than Firefox here. (Screenshot from Chrome attached for reference.)

With the default settings, Firefox is only providing a warning for the site's developer in the Web Console, and not treating this as a security emergency:

This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. [Learn More]

Is Firefox wrong? I think Mozilla is just moving a little more slowly to start rejecting certificates signed with the SHA-1 hashing algorithm (hashing is used to make encrypted text hard to reverse back to the original text).

  • Firefox now only rejects new certificates issued after Jan. 1, 2016 signed with SHA-1: that does not apply to this site, since its certificate was issued in 2011
  • Firefox and other major browsers should uniformly reject this and other SHA-1 certificates starting no later than Jan. 1, 2017, so the site does need to put a replacement cert in place by then or they will be in big trouble -- Google apparently couldn't wait