Voda website certificate problems in Firefox

Forums › One NZ (including Farmside) › Voda website certificate problems in Firefox

farcus

1644 posts

Uber Geek
+1 received by user: 449

#141304 8-Mar-2014 02:11

Getting some untrusted certificate problems on the Vodafone website in Firefox (Chrome / Chromium seem to work just fine).

1 | 2

19282 posts

Uber Geek
+1 received by user: 2526
Inactive user

#1001104 8-Mar-2014 06:54

I use firefox and don't get that

freitasm

BDFL - Memuneh
80944 posts

Uber Geek
+1 received by user: 41698

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1001118 8-Mar-2014 09:00

This is a problem that has been identified before in another thread about certificate problems, first identified with Vodafone on mobile browsers but nothing happened. The URL showing the problem is https://www.vodafone.co.nz/myvodafone

The certificate is issued by Vodafone itself and the certification path is broken.

The full error is "www.vodafone.co.nz uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)"

My guess is Vodafone people don't see this error because either their browsers test the certificate against their own servers or the have the root cert installed in their machines.

This is what I see on Firefox:

And here is the problem certificate:

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Sideface

9726 posts

Uber Geek
+1 received by user: 15881

Trusted

Lifetime subscriber

#1001121 8-Mar-2014 09:09

freitasm: ... My guess is Vodafone people don't see this error because either their browsers test the certificate against their own servers or the have the root cert installed in their machines...

I'm on VF cable and don't get the error on Firefox.

Sideface

freitasm

BDFL - Memuneh
80944 posts

Uber Geek
+1 received by user: 41698

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1001122 8-Mar-2014 09:13

I am saying employees using their internal network, not customers but it could be that the root certificate used to be installed in some PCs before.

What OS and Firefox version are you using? Go to https://www.vodafone.co.nz/myvodafone on Firefox and even if you don't see the error page you can click the certificate information. On Chrome it shows this:

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

heapsort

250 posts

Master Geek
+1 received by user: 82

Lifetime subscriber

#1001126 8-Mar-2014 09:25

On Firefox, I just went to https://www.vodafone.co.nz and sure enough I see the untrusted connection page.

Viewing the certificate heirarchy, I saw just "www.vodafone.co.nz" but to be trusted it should show a path from a trusted root.

Now here's something a bit strange:

I did NOT add an exception, but out of curiosity went to https://www.vodafone.co.uk - that worked fine, and viewing its certificate heirarchy it shows a path from Baltimore CyberTrust Root to Vodafone (Corporate Domain 2009) to Vodafone (Corporate Services 2009) to www.vodafone.co.uk

Once I've done that, https://www.vodafone.co.nz suddenly works! The certificate heirarchy shows the same path as above (starting from Baltimore CyberTrust Root) to www.vodafone.co.nz instead of .co.uk

It appears that the .co.nz certificate is intended to have the same trusted root as the .co.uk one but something isn't set up quite right?

Sideface

9726 posts

Uber Geek
+1 received by user: 15881

Trusted

Lifetime subscriber

#1001128 8-Mar-2014 09:28

freitasm:What OS and Firefox version are you using? Go to https://www.vodafone.co.nz/myvodafone on Firefox ...

I am running 8 PCs on a VF cable connection in Wellington.
All PCs run Windows 7 Pro or Ultimate.
6 use Firefox 27 (latest) and 2 run Waterfox 26 (latest).
No certificate problems with any of them, ever.

EDIT: I spoke too soon - one of them gives the error - it's the only one that hasn't had the user name & password entered before.

Sideface

Dyson

Shop now for Dyson appliances (affiliate link).

Demeter

709 posts

Ultimate Geek
+1 received by user: 391

Trusted

One NZ

#1001157 8-Mar-2014 10:10

Interesting. Thanks for the heads up about this guys, I'll get our web techies on to this.

johnr

19282 posts

Uber Geek
+1 received by user: 2526
Inactive user

#1001182 8-Mar-2014 11:02

Jon might be the best person @Lon

Alan3285

55 posts

Master Geek
+1 received by user: 1

#1008111 18-Mar-2014 14:21

Hi Guys,

Just noting that you still have an internal certificate coming up on this page (https://www.vodafone.co.nz/myvodafone/).

As Mauricio notes above, if you are testing it from an internal Vodafone machine, it is quite possible that your IT guys have installed that certificate, so you won't get the error, but the certificate is not validated to any trusted root authority in the 'real world', hence we are getting errors, and we have no way of knowing whether the server that we are about to give our Vodafone account username / password to is really Vodafone's.

The certificate chain that we are getting is as attached - note that the issuer is not a valid trusted root (unless you choose to install it as such yourself, but that defeats the purpose in general).

Please can you get someone on to this.

Alan.

Alan3285

55 posts

Master Geek
+1 received by user: 1

#1008248 18-Mar-2014 17:35

Hi Guys,

Upon reflection, I am wondering if this might be specific to some configuration some of us have in our browsers?

I am thinking that, if the above was a general issue, you'd be hearing about it hundreds or thousands of times a day, and presumably that isn't happening (not for weeks on end) - hence perhaps it is more focused?

No idea what that might be, but just throwing it out there :-)

Alan.

freitasm

BDFL - Memuneh
80944 posts

Uber Geek
+1 received by user: 41698

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1008250 18-Mar-2014 17:39

I've seen it on a standard Firefox install on a standard Windows 8.1 Pro install.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Lego

Shop now for Lego sets and other gifts (affiliate link).

accidue

4 posts

Wannabe Geek

#1008597 18-Mar-2014 23:50

The certificate chain is incomplete with two Vodafone certificates not loaded on the NZ webserver. Vodafone.co.uk has them loaded and sends to the client when requested, thus the NZ site works after browsing there as your browser now has the complete chain of certificates.

See https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.vodafone.co.nz%2Fmyvodafone

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#1008604 19-Mar-2014 00:05

freitasm

BDFL - Memuneh
80944 posts

Uber Geek
+1 received by user: 41698

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1008641 19-Mar-2014 07:20

Tim, what others are saying is that the certificate does't work in all browsers because the chain is broken. Your browser might have the other certificates since you work for Vodafone (have you logged into work from this PC before? If so it's likely).

If I go to https://www.vodafone.co.nz/myvodafone on Firefox right now, from my laptop I still get the screen I posted before:

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Alan3285

55 posts

Master Geek
+1 received by user: 1

#1008791 19-Mar-2014 10:27

Hi Accidue,

accidue: The certificate chain is incomplete with two Vodafone certificates not loaded on the NZ webserver. Vodafone.co.uk has them loaded and sends to the client when requested, thus the NZ site works after browsing there as your browser now has the complete chain of certificates.

See https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.vodafone.co.nz%2Fmyvodafone

What you say seems to be correct, but it does not appear to change the fact that the certificate as presented by www.vodafone.co.nz/myvodafone does not terminate with a trusted root certificate authority, and is therefore rejected by most (all?) modern browsers.

I agree that I can install any certificate I like in my browser, trust it, and carry on, but I'm not sure that is a solution, more of a work around that we would not wish to encourage people to do in general?

Thanks,

Alan.

1 | 2