Opened 9 years ago

Closed 8 years ago

#2167 closed defect (fixed)

Block during extension updating process

Reported by: zep Owned by: pde
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords: Block updating process
Cc: Natanji, starchy@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 GTB7.1

The extensions updating process blocks firefox with HTTPS Everywhere.

I've tried to uninstall it and the same process goes fast and without any blocks.

Obviously I've reinstalled Http-Everywhere and disabled automating updating(extension, firefox and components).

Thank you


Here is my extension list dumped:

Application: Firefox 3.6.12 (20101026210630)
Operating system: WINNT (x86-msvc)

8 November 2010

  • Adblock Plus 1.3.1

Firefox 3.5 - 4.0b8pre

  • British English Dictionary 1.19

Firefox 2.0 - 4.0b6pre

  • Cooliris 1.12.0.36605

Firefox 3.6 - 3.6.*

  • CoolPreviews 3.1.0625

Firefox 3.0 - 3.6.*

  • Dizionario italiano 3.2

Firefox 2.0 - 4.0b8pre

  • DownThemAll! 1.1.10

Firefox 3.0 - 3.6.*

  • Extension List Dumper 1.14.8

Firefox 1.5 - 3.6.*

  • FEBE 6.3.3.2

Firefox 3.0 - 3.7a4pre

  • Flagfox 4.0.10

Firefox 3.0 - 4.0b6

  • Google Toolbar for Firefox 7.1.20100830W

Firefox 2.0 - 3.*

  • gTranslate 0.8

Firefox 3.0 - 4.0b5pre

  • HTTPS-Everywhere 0.2.2

Firefox 3.0 - 3.9

  • Ixquick Toolbar 1.65

Firefox 0.7 - 3.*.*

  • Java Console 6.0.22

Firefox 1.0 - 5.0+

  • Locationbar² 1.0.5

Firefox 3.0 - 4.0b5pre

  • meebo 1.1

Firefox 1.5 - 3.6.*

  • NoScript 2.0.4

Firefox 3.0 - 4.0b8pre

  • SearchPreview 4.9.2

Firefox 1.5 - 4.0b8pre

  • Secure Login 0.9.5

Firefox 1.5 - 4.0b6

  • StumbleUpon 3.76

Firefox 1.0 - 4.0b8pre

  • Taboo 0.6.1

Firefox 2.0b1 - 3.6.*

  • WOT 20100908

Firefox 3.0 - 4.0b8pre

  • Xmarks 3.9.2

Firefox 3.0 - 4.0b6

Child Tickets

Change History (13)

comment:1 Changed 9 years ago by zep

Msgbox continue or abort:

"file:///D:/utilities/system/Mozilla%20Firefox/modules/CertUtils.jsm:16".

comment:2 Changed 9 years ago by pde

Zep, let me make sure I've understood this correctly. Are you saying that with HTTPS Everywhere enabled, you can't update *Firefox*? If so, can I get you to test two things:

  1. Can you install the "Live HTTP Headers" extension, and paste a trace from it of the failed update process?
  1. If you disable the Mozilla rule (Tools->Addons->HTTPS Everywhere->Preferences), does it work again?

Can anyone else reproduce?

comment:3 Changed 9 years ago by zep

  1. this is the trace related to HTTPS Everywhere

https://www.eff.org/files/https-everywhere-update.rdf

GET /files/https-everywhere-update.rdf HTTP/1.1
Host: www.eff.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 GTB7.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 !16:54:47 GMT
Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8n DAV/2 PHP/5.2.14 with Suhosin-Patch
Last-Modified: Wed, 28 Jul 2010 !20:30:14 GMT
Etag: "2bea2a-4e1-48c787c2b0180"
Accept-Ranges: bytes
Content-Length: 1249
Cache-Control: max-age=1209600
Expires: Tue, 23 Nov 2010 !16:54:47 GMT
Strict-Transport-Security: max-age=15768000
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/rdf+xml


2) If I uninstall it the result is the updating process is ok.

2.1) If I disable it, the situation is a little more complicated.

2.1.1)

HTPPS Everywhere : Active --> the extensions updadating process blocks: error in CertUtils.jsm:16".

If I restart the addons windows without restart firefox, and I disable HTTPS Everywhere -->the extensions updadating process is ok.

But it's true the inverse. Now I have Https Everywhere disabled. I restart firefox and I have:

2.2.2.)

HTPPS Everywhere : Disabled --> the extensions updadating process blocks: error in CertUtils.jsm:16".

If I restart the addons windows without restart firefox, and I enable HTTPS Everywhere -->the extensions updadating process is ok.

At last, the updating process is ok if I change the state of HTTPS Everywhere  (disabled->enabled or enabled->disabled) before I try the updating process.

               

comment:4 Changed 9 years ago by pde

zep, is this bug still present in the current releases of HTTPS Everywhere?

comment:5 in reply to:  4 ; Changed 9 years ago by doegox

Hi,
I've also what I believe to be the same issue, but maybe I'm wrong and it deserves a separate ticket.
Let me explain:

Symptom: Firefox was freezing with 100% CPU every now & then since a few days.
It was apparently happening every time https-everywhere extension was looking for update.

I isolated the problem as following:

=> it now redirects to https
=> connection untrusted (??? see below)
=> ok let's accept it

  • Tools -> Add-ons -> Find Updates

=> Freeze & 100% CPU load

If now I remove the file cert_override.txt & restart ff
it doesn't freeze anymore on add-ons/findupdate

Here is a dump of the saved certificate:

$ openssl x509 -in *.eff.org -noout -text
Certificate:

Data:

Version: 3 (0x2)
Serial Number:

4d:d3:60:cb:cf:2b:f8:07:e3:d1:89:46:04:3e:b0:78

Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High Assurance Secure Server CA
Validity

Not Before: Dec 3 00:00:00 2009 GMT
Not After : Jan 13 23:59:59 2015 GMT

Subject: C=US/postalCode=94110, ST=California, L=San Francisco/street=454 Shotwell St, O=Electronic Frontier Foundation, OU=Comodo PremiumSSL Wildcard, CN=*.eff.org
Subject Public Key Info:

Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)

Modulus (2048 bit):

00:d7:13:ba:ad:b4:50:12:5a:35:cc:33:15:16:2f:
94:9a:45:9e:ef:7a:dd:a8:17:33:8b:1e:4a:7f:77:
61:0d:fd:9e:fd:c9:85:b8:32:ba:e2:ad:6a:e6:7e:
3b:2d:62:9e:45:a8:3e:2e:89:8b:27:30:6e:32:4f:
00:76:4a:fb:1d:65:d1:5e:41:19:fb:29:24:fc:a0:
1e:54:96:87:59:cd:89:38:a2:54:ae:8b:39:c5:b5:
3b:4d:b3:d7:73:41:5b:9d:5d:c5:68:23:74:fd:e4:
de:78:fb:3e:7a:27:5c:98:67:1b:5b:47:0e:12:fb:
ae:89:7f:db:2d:cc:39:83:c9:2f:41:74:1d:83:84:
3f:5a:93:2f:b5:bf:e6:94:06:22:11:df:77:de:60:
02:0f:9d:0d:13:ec:ea:0e:ab:39:75:ac:2b:97:de:
04:f0:8d:fd:22:a7:53:9a:de:77:2d:6f:d3:73:7b:
4c:01:9a:d4:ef:89:a0:10:3a:6d:c8:33:43:51:b0:
83:68:3f:26:48:d5:22:a2:a0:49:bb:7a:36:fe:16:
54:67:08:a5:66:ef:5d:c3:7c:07:e1:d5:c5:6e:ee:
de:96:f9:d8:69:fd:c7:3d:ed:d6:6c:77:42:09:3c:
3d:12:5c:c3:83:47:d3:e2:db:fd:94:77:f3:c3:9d:
97:c9

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Authority Key Identifier:

keyid:60:59:CD:80:C7:C5:E3:AB:8C:2F:FC:6B:E5:5B:0A:F5:0F:DE:4B:FF

X509v3 Subject Key Identifier:

95:C9:DC:8B:0C:C0:4A:DD:56:D5:66:F5:2A:F0:C0:68:9E:62:4F:A6

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Basic Constraints: critical

CA:FALSE

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.6449.1.2.1.3.4

CPS: https://secure.comodo.net/CPS

X509v3 CRL Distribution Points:

URI:http://crl.comodoca.com/ComodoHighAssuranceSecureServerCA.crl

Authority Information Access:

CA Issuers - URI:http://crt.comodoca.com/ComodoHighAssuranceSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:

DNS:*.eff.org, DNS:eff.org

Signature Algorithm: sha1WithRSAEncryption

81:c1:46:be:33:a8:09:a3:bd:d3:16:d5:93:30:c0:42:48:c9:
1c:f9:cd:a7:47:f8:eb:10:6d:d3:4d:0f:f8:01:43:f2:92:d0:
f2:90:2a:7f:85:df:53:90:63:fd:dd:48:1f:78:b0:df:0e:00:
38:3a:00:a3:ca:50:76:e3:df:2c:49:14:d2:3d:2b:af:97:3a:
01:1e:5b:09:12:96:2f:73:fc:b1:d4:4d:54:84:7a:be:c3:06:
94:c3:b7:93:3c:d7:0e:4a:81:b4:3e:cc:67:bf:9e:90:91:9c:
02:83:e2:67:e2:4d:3b:a4:e3:fb:6c:66:91:74:66:5e:ef:40:
57:6a:7c:64:7f:45:6b:78:7f:8a:bb:33:be:fc:cb:38:f8:9d:
9d:dc:04:68:85:57:1b:37:8f:36:a9:3f:d6:09:3b:20:49:3b:
b5:40:31:d3:88:4b:54:58:5d:1c:66:38:f3:4a:4d:59:94:d5:
35:e9:d9:3b:01:9c:e8:12:f2:ab:2f:b3:bd:28:23:8d:db:57:
22:16:78:01:79:4f:48:0e:6b:31:78:1b:40:68:c8:7b:42:49:
72:24:ca:8c:1a:94:67:f1:e1:79:05:75:54:4d:c4:3a:13:9c:
70:ca:d4:5b:0c:21:6f:f0:e3:2a:17:d9:b6:b1:69:c5:35:2b:
4e:ed:5e:0a

What is strange is that if we display the cert in FF
-> details -> Certificate Hierarchy
-> very long chain:

  • AddTrust External CA Root
    • UTN - DATACorp SGC
      • AddTrust External CA Root
        • UTN - DATACorp SGC
          • AddTrust External CA Root
            • UTN - DATACorp SGC
              • AddTrust External CA Root
                • UTN - DATACorp SGC
                  • AddTrust External CA Root
                    • UTN - DATACorp SGC
                      • AddTrust External CA Root
                        • UTN - DATACorp SGC
                          • AddTrust External CA Root
                            • UTN - DATACorp SGC
                              • AddTrust External CA Root
                                • UTN - DATACorp SGC
                                  • AddTrust External CA Root
                                    • COMODO Certification Authority
                                      • COMODO High Assurance Secure Server CA
                                        • *.eff.org

My Firefox version: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15pre) Gecko/20110216 Namoroka/3.6.15pre
My HTTPS-Everywhere version: 0.9.4

comment:6 in reply to:  5 ; Changed 9 years ago by doegox

Symptom: Firefox was freezing with 100% CPU every now & then since a few days.
It was apparently happening every time https-everywhere extension was looking for update.

Actually I made a little error in the way I reproduced the problem: I forgot to tell I've also imported my cert8.db.
And the problem came from a corrupted CA certificate.
After having deleted the "The USERTRUST Network / AddTrust External CA Root" software security device, the problem disappeared definitively.
See also the following bugreport, that's how I found the real root of the problem: http://bugs.debian.org/589023
But, same as for the guy having reported that bug, I've no clue from where I got this corrupted certificate which made a loop in the CA chain.

So an update request on the https-everywhere add-on was provoking a freeze because of this strange certificate.
Zep, could you check if your problem has the same origin?

comment:7 in reply to:  4 Changed 9 years ago by zep

Replying to pde:

zep, is this bug still present in the current releases of HTTPS Everywhere?

currente release 0.9.4 the bug is still the same.

comment:8 in reply to:  6 ; Changed 9 years ago by zep

OK things on my side are these:

1) I remove the file "cert_override.txt" & restart ff

It doesn't freeze anymore on add-ons/findupdate

2) I go on https://www.eff.org/https-everywhere

ff show the message"insecure connection":(error: sec_error_unknown_issuer)

It's the same for https://secure.comodo.net/CPS

2.1) If I try to acquire the certificate(eff.org) I have the message:"Unknown identity".

2.2) I add a security exception I have this text in the file 'cert_override.txt':

# PSM Certificate Override Settings file
# This is a generated file!  Do not edit.
www.eff.org:443    OID.2.16.840.1.101.3.4.2.1    !7E:40:8A:6A:3B:2E:9C:3A:6D:21:57:9C:CD:5C:78:F3:00:88:18:78:AE:BD:02:52:97:41:60:CB:89:2B:D8:2D    U    AAAAAAAAAAAAAAAQAAAAjE3TYMvPK/gH49GJRgQ+sHgwgYkxCzAJBgNVBAYTAkdC  MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx  GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMS8wLQYDVQQDEyZDT01PRE8gSGln  aCBBc3N1cmFuY2UgU2VjdXJlIFNlcnZlciBDQQ==

2.3) Now I can go on https://www.eff.org/https-everywhere ,, but I have the original error of my ticket on updating  process:request on the https-everywhere add-on.

Thank you very much!

Replying to doegox:

Symptom: Firefox was freezing with 100% CPU every now & then since a few days.
It was apparently happening every time https-everywhere extension was looking for update.

Actually I made a little error in the way I reproduced the problem: I forgot to tell I've also imported my cert8.db.
And the problem came from a corrupted CA certificate.
After having deleted the "The USERTRUST Network / AddTrust External CA Root" software security device, the problem disappeared definitively.
See also the following bugreport, that's how I found the real root of the problem: http://bugs.debian.org/589023
But, same as for the guy having reported that bug, I've no clue from where I got this corrupted certificate which made a loop in the CA chain.

So an update request on the https-everywhere add-on was provoking a freeze because of this strange certificate.
Zep, could you check if your problem has the same origin?

comment:9 in reply to:  8 Changed 9 years ago by zep

Replying to zep:

If I save the certificate from eff.org, that previously I wasn't able to acquire, and after that I manually install it , the result is the same.

OK things on my side are these:

1) I remove the file "cert_override.txt" & restart ff

It doesn't freeze anymore on add-ons/findupdate

2) I go on https://www.eff.org/https-everywhere

ff show the message"insecure connection":(error: sec_error_unknown_issuer)

It's the same for https://secure.comodo.net/CPS

2.1) If I try to acquire the certificate(eff.org) I have the message:"Unknown identity".

2.2) I add a security exception I have this text in the file 'cert_override.txt':

# PSM Certificate Override Settings file
# This is a generated file!  Do not edit.
www.eff.org:443    OID.2.16.840.1.101.3.4.2.1    !7E:40:8A:6A:3B:2E:9C:3A:6D:21:57:9C:CD:5C:78:F3:00:88:18:78:AE:BD:02:52:97:41:60:CB:89:2B:D8:2D    U    AAAAAAAAAAAAAAAQAAAAjE3TYMvPK/gH49GJRgQ+sHgwgYkxCzAJBgNVBAYTAkdC  MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx  GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMS8wLQYDVQQDEyZDT01PRE8gSGln  aCBBc3N1cmFuY2UgU2VjdXJlIFNlcnZlciBDQQ==

2.3) Now I can go on https://www.eff.org/https-everywhere ,, but I have the original error of my ticket on updating  process:request on the https-everywhere add-on.

Thank you very much!

comment:10 Changed 9 years ago by Tobu

Thank you for linking to this debian bug. I had the 100% cpu, unresponsive firefox during extension upgrades. I found out and removed https everywhere, it worked fine, but I was unable to download the xpi again.

Once I removed the "AddTrust External CA Root" certificate located under "The USERTRUST Network", which had a loop, I was able to reinstall and update https everywhere.

I do wonder where these broken certs came from, and how common they are. As far as I'm concerned, they could have been from ubuntu's ca-certificates, or from a minefield nightly. I've had trouble visiting gandi.net in the past, and noticed the loop but didn't think of removing the offender.

comment:11 Changed 8 years ago by Natanji

Cc: Natanji added

Any news on this bug? I was unable to fix this problem by uninstalling/disabling the AddTrust External CA Root. So now I have HTTPS everywhere installed, but it certainly won't be able to update since it tries to use HTTPS on the EFF site for that, and this connection is rejected because of the invalid certificate.

Why is the EFF using a certificate that is not valid in firefox? This doesn't make any sense to me. "error: sec_error_unknown_issuer" -> what does this error even mean, and how can it be fixed?

comment:12 Changed 8 years ago by pde

Cc: starchy@… added

I guess we can fix this bug by switching www.eff.org to a CA that isn't AddTrust/Comodo. Perhaps we should do that.

comment:13 Changed 8 years ago by pde

Resolution: fixed
Status: newclosed

www.eff.org has migrated from Comodo to a StartCom certificate. That should fix this bug; please reopen if it hasn't.

Note: See TracTickets for help on using tickets.