7

I am connecting to a secure site and firefox mentions about identity:

Owner: This website does not supply ownership information

Verified by: Not specified

Technical Details:  
Connection Partially encrypted      
Parts of the page you are viewing were not encrypted before transmitted over the internet  

What do these warnings mean? I don't see them via IE.
And the connection does not seem to be considered as untrusted in the url bar or any other indication. The certificate is signed by a trusted CA so what does the Non Specified refers to in the Verified by warning?

Also how can I know which parts of the page were send unencrypted?

Jim
  • 1,405
  • 4
  • 14
  • 18

3 Answers3

9

Warning 1: Owner: This website does not supply ownership information

This means that the SSL certificate does not specify the organisation that owns it. This can be an important detail, especially in extended verification certs (EV), since it ties the certificate to a real entity.

Warning 2: Verified by: Not specified

This is a really important problem. The certificate does not specify which certificate authority (CA) has signed it. This might mean it's self signed, so you can only rely on the connection for security against passive attackers. An active attacker, i.e. one that performs a man-in-the-middle attack, could generate his own certificate and pretend to be the server.

Warning 3: Connection Partially encrypted - Parts of the page you are viewing were not encrypted before transmitted over the internet.

This means that elements in the page you are viewing are not transferred via SSL. This could mean images, scripts or even CSS files. The problem here is that some traffic will be sent in cleartext, potentially revealing what page you are viewing or more important details, such as cookies.



In summary, this is a very poorly secured SSL setup. You should certainly not use it to input any personal details or potentially sensitive information.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Concerning your comment on warning 2:Which field of the X.509 Certificate specifies this?The certificate is indeed signed by Verisign. Concerning comment on warning 1:Which field of the X.509 Certificate specifies this? – Jim Apr 22 '12 at 21:19
  • For warning 2, it's the `Issuer` field. For warning 1, it's parts of the `Subject` field. Each field has a subset of values, noted as `key = value` - if some of these (e.g. `O` for Organization) are missing it can generate warnings. – Polynomial Apr 22 '12 at 21:39
  • The issuer is missing `CN` and `C` and the subject is missing `ST`. Are these the root problem?I don't remember them being mandatory. But it is odd that `CN` is missing from issuer. What is the risk of this? And how come Verisign issued such a certificate? – Jim Apr 22 '12 at 21:46
  • Not sure. It does seem odd that Verisign didn't provide `CN`. You should contact them. – Polynomial Apr 22 '12 at 22:53
  • Warnings 1 & 2 are not actually that important. It's just about which parts of the certificate Firefox chooses to display more prominently in the main boxes of the UI. Warning 3 is definitely a problem. – Bruno Apr 23 '12 at 10:23
  • Oddly, for me Firefox reported all three problems but only fixing the last (an http image reference instead of https) "fixed" all three together. – GeoffM Oct 26 '15 at 18:48
5

Owner: This website does not supply ownership information

This is used for EV certificates. In this case, Firefox will just copy the content of the O, L, ST and C RDNs in the Subject DN. It doesn't do it otherwise.

You can read more on the topic of EV certs in this answer for example. You'll notice that https://www.google.com/ doesn't have one and shows this same message.

Verified by: Not specified

This seems to use the O RDN of the Issuer DN. Not having it isn't necessarily a big deal. When you chose (or when someone else made the decision) to trust that CA, it should have known where it came from. The CA cert's Subject DNs (which become Issuer DN) don't have a mandatory structure (EV certs are more strict on this, though). What matters is to have a DN that identifies the CA sufficiently, whether the CN or O RDNs are present doesn't matter that much, although it seems it would be better practice to have them (just from an administrative point of view).

Although these messages come with good intent, they tend to make things more confusing unfortunately. This is still the object of debate in a number of Firefox Bugzilla issues. Here are a couple:

Technical Details:

Connection Partially encrypted

Parts of the page you are viewing were not encrypted before transmitted over the internet

This one is a problem. It means you have mixed content on your page, which is bad practice because you can't be sure what can and cannot be trusted as coming from the server (as guaranteed by SSL/TLS otherwise). It's probably loading images, scripts, iframes or making XHR requests via plain HTTP. In some cases, it can leak sensitive data this way.

You can find out which resources are loaded via plain HTTP on your page using the Firebug extension (Network tab). Chrome has something similar in its developer tools.

Bruno
  • 10,875
  • 1
  • 39
  • 61
-2

Sounds like you're missing a CN Certificate.

You can get the CN certificate yourself from the knowledge base on most certificate issuers and put that up if it wasn't emailed to you - I have had to do this a couple of times.

Rob Scott
  • 1
  • 1
  • What do you call a "CN Certificate"? Anyway, those warnings have to do with the validation type (EV/DV/...) and are purely a Firefox UI problem. The certificate is trusted, it's the information about its that's displayed this way. – Bruno Jul 20 '12 at 18:46