tweetdeck.twitter.com - "Secure connection failed" with an old pinned certificate

[nukeador]

URL: http://tweetdeck.twitter.com/

Browser / Version: Firefox 111.0 Operating System: Ubuntu Tested Another Browser: Yes Edge

Problem type: Site is not usable Description: Page not loading correctly Steps to Reproduce: It seems tweetdeck.twitter.com has messed with their certificates and Firefox users who visited the site in the past are getting MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

Browser Configuration

• None

From webcompat.com with ❤️

[nukeador]

I don't expect ppl to mess with SiteSecurityServiceState.txt themselves to solve it when it seems it's a tweetdeck issue. So if anyone has visited the site in the past, they will never be able to access it again.

[softvision-raul-bucata]

@nukeador Thanks for the report. Like stated in the Matrix discussion, I was able to reproduce the issue in one profile (that has add-ons active), but not in another, on other devices as well.

Tested with:

Browser / Version: Firefox Nightly 112.0a1 (2023-03-09) (64-bit) /Firefox Beta 111.0b8 (64-bit) Operating System: Windows 10 PRO x64

What I would do usually to test this kind of issue, is:

1. Type about:profiles in the url bar.
2. Choose Create a new profile.
3. Call it deleteme or anything you please.
4. Then start it. (this way you will be sure that nothing is interfering, no ghost caching etc.)
5. Test.

[qa_10/2023]

[softvision-raul-bucata]

@nukeador Can you please check in a new profile, with the instructions from above?

[inv_10/2023]

[nukeador]

There is clearly a manual fix, one that 99% of users won't know/do, and that's removing the pinned certificate manually:

• Go about:profiles and open the root directory
• Edit SiteSecurityServiceState.txt and remove the lines about https://twitter.com/

Save and restart Firefox.

But this should be fixed on twitter side.

[softvision-raul-bucata]

@nukeador does it reproduce in a new profile? We are trying to eliminate the possibility of corrupt data or add-ons interfering. Or maybe some instances of Firefox get this error in a clean profile, and some don't. Can you double check, please?

[inv_10/2023]

[nukeador]

This issue will never happen in a new profile, because you will get a new fresh pinned certificate the first time you get into tweetdeck site.

This issue can be fixed on existing profiles as I described, but it's a terrible security practice to remove pinned certificates manually, and one that users will never do and, as a result, won't be able to access the site again.

[softvision-raul-bucata]

@nukeador Thanks for the updated info, I will pass this on.

[softvision-raul-bucata]

See also: https://twitter.com/search?q=tweetdeck%20firefox&src=typed_query&f=live

[inv_10/2023]

[Archaeopteryx]

The mentioned fix does not work here in the Linux VM because there are no entries about twitter in that file (had opened it in a private window).

[denschub]

People are actively investigating and mitigating, follow https://bugzilla.mozilla.org/show_bug.cgi?id=1821359 for updates. I'll close this as a duplicate.

[otterolie]

goto about:config and search "security.cert_pinning.enforcement_level" and change to 0. This fixed it for me and allowed me to use the old twitter deck once again.

Not sure if this opens any additional risks, please DYOR. Someone, please advise what this option actually does.

[denschub]

Someone, please advise what this option actually does.

This pref disables the pinned certificates for these sites, which will make Firefox accept any valid certificate for those domains. It is a valid temporary workaround.

[Stratoprutser]

How to solve this in FF 110.1.0 on Android? No about:config or access to SiteSecurityServiceState.txt there.

[wget]

@Stratoprutser just update to the version 111 that was pushed to the Play Store yesterday and it will do the trick ;)

Otherwise on desktop, I upgraded to v111, have reset back the "security.cert_pinning.enforcement_level" value to 1 and this is still working, so we can consider this issue completely fixed then =)

[otterolie]

Thanks for the update, updated my browser and now reset the certificate value. Please make this as resolved

On Wed, 15 Mar 2023 at 15:58, William Gathoye @.***> wrote:

@Stratoprutser https://github.com/Stratoprutser just update to the version 111 that was pushed to the Play Store yesterday and it will do the trick ;)

Otherwise on desktop, I upgraded to v111, have reset back the "security.cert_pinning.enforcement_level" value to 1 and this is still working, so we can consider this issue completely fixed then =)

— Reply to this email directly, view it on GitHub https://github.com/webcompat/web-bugs/issues/119295#issuecomment-1470161428, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2DEL7TYERLVSQ7KNZR5CXTW4HKIXANCNFSM6AAAAAAVU5FY4E . You are receiving this because you commented.Message ID: @.***>