Closed
Bug 654739
Opened 13 years ago
Closed 9 years ago
Empty SSL cert causes URL bar identity panel to show wrong details from another page
Categories
(Firefox :: Address Bar, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1126675
People
(Reporter: mikolaj, Unassigned)
References
()
Details
Attachments
(1 file)
2.88 KB,
image/png
|
Details |
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Cert info in URL bar wrong when swiching tab from URL with correctly generated SSL cert to tab with empty SSL cert info. $ openssl s_client -connect the.bucket.cc:443 2>/dev/null < /dev/null | openssl x509 -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: ff:d8:85:c8:f4:3b:94:b3 Signature Algorithm: sha1WithRSAEncryption Issuer: Validity Not Before: Dec 9 01:07:55 2010 GMT Not After : Dec 9 01:07:55 2011 GMT Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ... Reproducible: Always Steps to Reproduce: 1. open Firefox 4.0.1 2. open in one tab https://bugzilla.mozilla.org/ 3. open in second tab https://the.bucket.cc/ 4. switch between tabs back and forth 5. look at the url bar, near favicon 6. info there for the.bucket.cc will be shown as mozilla.org Actual Results: Wrong info for when connecting over HTTPS and cert has empty 'Subject' line. Expected Results: Probably no info for site with empty 'Subject' in SSL cert. It happens for any SSL site. I can to go https://mail.google.com/ and then back to https://the.bucket.cc/ and in URL bar it will there will be info that's cert is signed to google.com. Mouse over that info shows also wrong details.
Reporter | ||
Comment 1•13 years ago
|
||
See attachment how does it looks in my Firefox.
Comment 2•13 years ago
|
||
confirming with FF4.01 on win32 This could be a security problem but in this case you already get a security warning before entering the site due to the self signed certificate.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 3•13 years ago
|
||
yes, showing a certificate from another site on the wrong site sounds like something bad.
Updated•13 years ago
|
Summary: Empty SSL cert and URL bar info wrong → Empty SSL cert and causes URL bar identity info to show wrong details from another page
Updated•13 years ago
|
Summary: Empty SSL cert and causes URL bar identity info to show wrong details from another page → Empty SSL cert causes URL bar identity panel to show wrong details from another page
Reporter | ||
Comment 4•13 years ago
|
||
That is also happening when you click from site with proper cert to site with empty cert. For example here in this bug report, look at the URL bar identity and click at the following link https://the.bucket.cc/ -- URL bar identity fill not change, and still will be displayed as 'mozilla.org'.
Comment 6•9 years ago
|
||
Sorry for the forward dupe, but the other bug has more info on why this fails, and a working example (the.bucket.cc doesn't connect over here).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•