webbrowser only partially loads some https sites

Bug #1656551 reported by Rüdiger Kupper on 2017-01-14
194
This bug affects 41 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Critical
Bill Filler
Oxide
Undecided
Unassigned
webbrowser-app (Ubuntu)
Undecided
Unassigned

Bug Description

The browser on my Ubuntu Phone (Meizu MX-4, OTA 14) does not open some https-secured sites correctly, such as https://www.amazon.com or https://www.amazon.de. The browser presents a warning about an invalid ssl certificate, although the certificate appears perfectly valid. It then presents the option to go back to a safe site or continue anyway. If I choose continue anyway, it starts to load the site, but never completes. After some time it stops loading and displays a rather incomplete version of the site. It is clearly composed of only some of the pages' elements and incomplete.The amount of the page that is displayed varies from time to time.
It appears that transmission times out while loading the page.
Test case:
1) Try loading https://www.amazon.com. Observe that webbrowser-app displays warning about invalid certificate, without any apparent reason. Chose "continue anyway". Observe, that the site is only incompletely loaded and unsable.
2) Try loading the web interface of my router: https://rkupper.no-ip.org/. This site uses a self-signed certificate, which is correctly displayed as a security risk. But self-signed certificates are a common use case on DSL or cable routers' web interfaces. Choose "continue anyway". You should see the login page of a fritz box router. Observe that the site is incompletely loaded and the login button does nothing at all.

Forget about self-signed sites: It also happens on https://www.amazon.com and https://www.amazon.de:
First, webbrowser-app displays a warning that the site's certificate is invalid (without any reason). If I then choose "continue anyway", the amazon site is only incompletely displayed.

The amazon web-app (preinstalled on Ubuntu phone) is dysfunctional for the same reason.

summary: - webbrowser only partially loads https sites with self-signed certificate
+ webbrowser only partially loads some https sites

Modified bug description.

description: updated
description: updated
Olivier Tilloy (osomon) wrote :

I’m not seeing the issue with https://www.amazon.[com|de], they load fine on both my E4.5 and my MX4.

I am seeing the problem with your router’s web interface. Relevant bits of the logs:

[0116/080753:ERROR:cert_verify_proc_nss.cc(942)] CERT_PKIXVerifyCert for rkupper.no-ip.org failed err=-8172
qml: [JS] (https://rkupper.no-ip.org/:123) Uncaught ReferenceError: html is not defined

The first line shows up when the self-signed certificate warning page is shown.
The second line shows up when choosing to continue anyway. It looks like some javascript is trying to do some incorrect processing and the page fails to render altogether.

On desktop I see either that same error or a different one in the logs, but it also results in the page failing to render:

qml: [JS] (https://rkupper.no-ip.org/:123) Uncaught TypeError: Cannot read property 'blueBarHead' of undefined

The relevant part of the source of the page which fails to render is:

<html>
[…]
<body>
[…]
<script type="text/javascript">
[…]
function localInit() {
"use strict";
window.history.replaceState({}, '', '/');
html.blueBarHead({
"type": "login",
title: data.bluBarTitle,
parent: document.body
});
login.init(data);
}
localInit();
</script>
</body>
</html>

The 'html' variable is being defined in a script that’s loaded earlier, https://rkupper.no-ip.org/js/html.js. It looks like that script might not have been loaded yet at that point? I wonder if that's related with the certificate error at all? Adding an oxide task for further investigation.

Olivier Tilloy (osomon) wrote :

About:

> Try loading https://www.amazon.com. Observe that webbrowser-app
> displays warning about invalid certificate, without any apparent
> reason.

I can now reproduce the issue, even after closing the browser and opening again (and even after completely deleting the browser profile and cache). This started happening after visiting https://rkupper.no-ip.org/, it wasn’t happening before.

Olivier Tilloy (osomon) wrote :

So there are two issues here, possibly related:

 - content not loading completely (or not in the expected order) when bypassing certificate warning on https://rkupper.no-ip.org/

 - after visiting that site, visiting https://www.amazon.com/ always displays an invalid certificate warning (unknown reason), even after purging browser cache, config and local storage, and even across reboots

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in webbrowser-app (Ubuntu):
status: New → Confirmed
summary: - webbrowser only partially loads some https sites
+ webbrowser only partially loads some https sites after accepting self-
+ signed certificate once

It's basically hitting the same issue as https://bugs.chromium.org/p/chromium/issues/detail?id=664177 because the build was 10 weeks old from yesterday (actually, it's not quite, but the build date recorded in the build is the first Sunday of the month, which is 6th November for the version of Oxide in OTA-14).

Olivier Tilloy (osomon) wrote :

So all that’s needed is an oxide update. I’m preparing a silo with 1.19.7, targetting OTA-15.

Olivier and Chris, thanks for tracking this down so quickly! I understand it will be some weeks before the release of OTA-15. Is there something I can do to make things work for me in the meantime?

Olivier Tilloy (osomon) wrote :

@Rüdiger: until OTA-15 is released, your best bet would be to switch your device to the rc-proposed channel, which has a more recent version of oxide.

Tuomas Heino (iheino+ub) wrote :

Confirming identical symptoms (symantec sites) to the ones mentioned in chromium issue linked above. Please consider removing misleading "self-signed" -part from bug title.

summary: - webbrowser only partially loads some https sites after accepting self-
- signed certificate once
+ webbrowser only partially loads some https sites
Olivier Tilloy (osomon) wrote :

Good point Tuomas, and thanks Rüdiger for updating the title. You might want to file a separate bug report for your router’s web interface content not loading completely, as it appears to not work with oxide 1.19.7 either.

description: updated
Changed in canonical-devices-system-image:
assignee: nobody → David Barth (dbarth)
importance: Undecided → Critical
milestone: none → 15
status: New → Confirmed
Changed in canonical-devices-system-image:
status: Confirmed → In Progress
bluexxx (bluexxx) wrote :

Hi, i get ssl error on amazon.de and this error on google+:
https://plus.google.com/communities/118436859239534473331

"Dein Browser wird von Google+ nicht unterstützt. Entweder ist deine Browserversion veraltet oder du verwendest einen nicht unterstützten Browsertyp."

All updates are installed on Aquaris 4.5 and Nexus7.

@Pad: I read ubuntu touch is temporary dead and ther won't be OTA 15:
https://lists.launchpad.net/ubuntu-phone/msg23187.html and here:
http://ubuntufun.de/2017/01/canonical-bestaetigt-die-roadmap-des-ubuntu-phone-projekt/

I hope its not true because i hope we get in OTA 15 a timer for fligtmode to protect people before microwave at night when the von is used as timer. Microwave is under suspicion to generate cancer. And i hope there comes a cisco-vpn client for german fritz!box vpn-connections.

So i pray for OTA 15.

Olivier Tilloy (osomon) wrote :

@bluexxx: the google+ error is a different bug: https://launchpad.net/bugs/1656310.

The message on the ML might have been misleading: we are working on an OTA-15, but it won’t contain new features, only a very limited number of critical bug fixes.

Changed in webbrowser-app (Ubuntu):
status: Confirmed → Invalid
Ma Cha (macha) wrote :

when going on some websites like posteo.de, i don't get even "continue anyway", just "certificat of this website is not approuved".

AlexAD (alex-ad) on 2017-01-21
Changed in canonical-devices-system-image:
status: In Progress → Invalid
status: Invalid → Confirmed
status: Confirmed → In Progress
GTriderXC (gtriderxc) wrote :

Is this also the reason why ebay doesn't work on M10? (also in a web browser after You click a search button)

https://bugs.launchpad.net/webapps-sprint/+bug/1575780

Olivier Tilloy (osomon) wrote :

No, that one is a different issue, better tracked in its separate bug report.

Changed in canonical-devices-system-image:
assignee: David Barth (dbarth) → Bill Filler (bfiller)
Nikolay (aquarism10-ubuntu) wrote :

"Versions of Chrome 53 that are more than 10 weeks old
now display this error message for all
websites using Symantec certificates
that were issued on or after June 1, 2016
(including from Symantec-owned brands
like Thawte and GeoTrust)."
All symantec certificates(aliexpress.com, lego.com).

Billdemoncho (billdemoncho) wrote :

Hello, I also encounter this problem from the Meizu Pro5 and on many sites, only a few days ago. I'm in OTA 14.
The site certificate is not approved. The security certificate of this site is not trustworthy. The server presented a security certificate that did not pass our trusted tests for an unknown reason.

Billdemoncho (billdemoncho) wrote :

Here is the certificate of one of the denied sites.

Changed in canonical-devices-system-image:
status: In Progress → Fix Committed

Filed another bug report for web browser not loading self-signed sites, as this problem persists with OTA-15: Bug #1662559

Tuomas Heino (iheino+ub) wrote :

Semi-worksforme @ OTA-15, as in symptoms disappeared for now.
But we shall see whether actual bug(s) were addressed as well after
after 10 weeks assuming no OTA-16 before that.

Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers