Closed
Bug 1156073
Opened 9 years ago
Closed 9 years ago
Public Key Pinning is deactivated when the SSL Certificate is invalid
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1147497
People
(Reporter: king.jan1999.jr, Unassigned)
Details
(Keywords: sec-moderate)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150417183332
Steps to reproduce:
1. Set up a website on localhost, add a SSL Certificate with an invalid common name and add public key pinning for this website (My virtualhost config: https://pastebin.mozilla.org/8830630, Certificate: https://pastebin.mozilla.org/8830631 , I removed some personal data. jan-ubuntu.de and ultimo.de are both routed to 127.0.0.1 in /etc/hosts)
2. Open the website and add an exception (I think many users would do so, because they know that the website owner can't afford a certificate or they want the visit the website)
Result: Something like http://abload.de/img/ff1l4lz1.png ,http://abload.de/img/cert10yxa8.png)
3. Change the SSL Certificate, use a invalid common name
(Certificate: https://pastebin.mozilla.org/8830632)
4. Open the website again
I used Firefox Beta (38.0) on Ubuntu (14.10) and a new profile to reproduce this.
Actual results:
I can add an exception for the website and visit it. (http://abload.de/img/ff2uraq7.png, http://abload.de/img/cert2esb4s.png)
Actually the HTTP-Header is sent both times (http://abload.de/img/pkp1i2yyb.png), but is simply ignored by Firefox.
Expected results:
I am not able to add an exception and Firefox prevents me from visiting the site. (like on the picture: http://abload.de/img/expectedd5ymg.png)
Comment 1•9 years ago
|
||
Hi - thanks for reporting this. We're tracking this in bug 1147497, which is security-sensitive right now, so I'm marking this security-sensitive as well.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Keywords: sec-moderate
You need to log in
before you can comment on or make changes to this bug.
Description
•