1183483 - HTTPS Insecure Connection message misphrased

Status: RESOLVED INVALID

(Core Graveyard :: Security: UI, defect)

Description

[Nick Levinson]

In Firefox 38.0.5, I tried visiting a website using HTTPS instead of HTTP and got this under "This Connection is Untrusted . . . . . Technical Details": "cold32.com uses an invalid security certificate."/"The certificate is only valid for *.nfshost.com"/"(Error code: ssl_error_bad_cert_domain)". I own the website and I set it up for HTTP only. I tried accessing it via HTTPS only as an experiment to see what would happen if a browser were to try to impose HTTPS on all website visits, I have no certificate for it, and, since my host requires that if we want a certificate we must apply for generally one per site, I don't think my host has a wildcard certificate. So the browser was right to give me a message like it did but the technical details seem wrong. Someone else will know better than I do how it should be phrased. Whether bug 583191 is related is unclear to me.

Comment 1

[YF (Yang)]

I got the same result. But your website looks hosted on a web hosting service, this is probably normal. It serves multiple Web sites, including some HTTPS sites with certificate at same ip.

Comment 2

[Nick Levinson]

Yes, but the problem is not in the result but in the reason stated. It says the certificate is invalid when it should say that there is no certificate and it implies a wildcard certificate was found when it's unlikely the host has a wildcard certificate, since the host requires acquisition of a separate certificate for each subdomain a customer wants to cover (all, again, as of 12-31-15). So this is a phrasing or user interface problem. Should this be reopened?

Comment 3

[Nick Levinson]

Since I retested and reproduced the problem in the last few days in version 43.0, I'm updating the version menu in this report, while reopening is pending.

Comment 4

[YF (Yang)]

I think that the wording is no question, the certificate is not valid *for the site*, it omits some narrative.

original text: "cold32.com uses an invalid security certificate. The certificate is only valid for *.nfshost.com"

Comment 5

[:Cykesiopka]

Hi,

Thanks for filing the report.

https://cold32.com/ does in fact send a certificate - one that's valid for *.nfshosts.com. If you feel inclined, you can check this via software such as Wireshark.

I suspect your hosting provider simply uses this cert by default for sites that haven't applied for certs.

Since it's impossible to tell whether something like your situation is happening or an attack is occurring, I don't think there's anything we can do here.

Comment 6

[Nick Levinson]

My error. I checked with my host. They said there's no error but pointed out an error of mine, and I confirmed it in my .htaccess file and corrected it, resulting in a more specific certificate reference from Firefox.

However, when I just tested HTTPS access (https://cold32.com/), I got this from Firefox: "The owner of cold32.com has configured their website improperly." No, I didn't; I configured it properly, but it doesn't support HTTPS and doesn't have to, so my configuration is not improper. The rest of Firefox's response is okay, such as in listing a specific certificate, but I'd rephrase to "The owner of cold32.com has configured their website without HTTPS security support." The rest of Firefox's page would continue to make sense with this rephrasing.

I'll leave the status up to you.