zulip-desktop
zulip-desktop copied to clipboard
zulip
Blocking certificate error shown for broken 3rd party thumbnails
Describe the bug
Entering a channel where someone has posted a link with a thumbnail to a site that now has a broken TLS certificate throws an error.
To Reproduce
- Post a link (e.g. in March 2020) to a HTTPS site. The site is working correctly. Zulip generates a small "preview" with a title, description and image of the link. Everything works fine now.
- Wait until May 2021 and Zulip 4.x. By now the owner of the linked site has forgotten about it and its HTTPS cert expired and has not been renewed.
- Browse the channel where this message has been posted. A popup shows up, which is too technical, not helpful and not actionable (i.e. neither the user nor the server admin can do anything about it). After dismissing it, the channel works fine.
Expected behavior
No popup should show. Having a thumbnail fail to load due to a third party TLS failure should be a silent error and not annoy the user with a blocking modal window.
Screenshots
Desktop:
- Operating System: Ubuntu 21.04
- Zulip Desktop Version: 5.7.0 rev 37 (snap)
Additional context This is on an up to date, self-hosted Zulip server. If you need more information, please let me know.
I've also seen this happen on Android, and it is a bit worse on mobile, as the error cannot be dismissed, so the channel is rendered unusable. Probably related: zulip/zulip-mobile#4726, zulip/zulip-mobile#4691
@elopez thanks for the report! I garee this is a bug; while this error-handling could make sense for certificate errors with the Zulip server one is connecting to, third-party domains should be ignored as per the browser default behavior.
(I notice in the code we have a comment noting a plan to delete parts of the function that displays this error; I'm not sure if that's on the path to fixing this or an adjacent issue)
Would commenting this out be a suitable fix, for now?
https://github.com/zulip/zulip-desktop/blob/ceb6417979b9cb94f8f3412f9074157a7355613e/app/main/index.ts#L245-L261
Since we want this certificate errors for the Zulip server one is coonnecting to, we can put check on theurl in the above code to throw the error only if its on the connecting Zulip server and for other third-party domains, ignore by default. I feel that is a suitable approach for this issue.
Can I be of any help in regards to getting us towards a proposed PR? Or org gets this error several times a day from various domains so I'd love to get a fix sorted and deployed as soon as we can manage.
We also encountered the same issue This link when posted in zulip org with preview URL causes the certificate error https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=L0030013
The website itself actually has a valid certificate, it's the og:image header that references a domain without proper certificate
This should have been fixed by https://github.com/zulip/zulip/pull/20031 and I can no longer reproduce the issue, so I think this can be closed.
@andersk Pinging, since I don't have permissions to close issues in this repo.
Edited – sadly my happiness was premature (wrote earlier "happy to confirm that in our setup the error has been fixed with 4.8") but the issue persists, though in private messages only.
I can recreate this issue when connected to a captive network. This is annoying, as to access the offline data, sometimes I need to click through several of these errors.
I get this popup every time I get back home and connect to my apartment's wifi network.
In the few seconds before it authenticates me, the captive portal causes this popup even when zulip is minimized and just in my system tray.
I just have to mash ESC before using my computer but it would be very annoying if every program did this.
Could somebody look at the PR for this bug, please? It makes the app experience terrible.
Our PM says she spends at least 3 minutes a day batting down Zulip Certificate Modals, Can We Fix This pls?