HTTPS Insecure Connection message misphrased

RESOLVED INVALID

Status

Core Graveyard
Security: UI
--
trivial
RESOLVED INVALID
3 years ago
2 years ago

People

(Reporter: Nick Levinson, Unassigned)

Tracking

43 Branch
Unspecified
All

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

3 years ago
In Firefox 38.0.5, I tried visiting a website using HTTPS instead of HTTP and got this under "This Connection is Untrusted . . . . . Technical Details": "cold32.com uses an invalid security certificate."/"The certificate is only valid for *.nfshost.com"/"(Error code: ssl_error_bad_cert_domain)". I own the website and I set it up for HTTP only. I tried accessing it via HTTPS only as an experiment to see what would happen if a browser were to try to impose HTTPS on all website visits, I have no certificate for it, and, since my host requires that if we want a certificate we must apply for generally one per site, I don't think my host has a wildcard certificate. So the browser was right to give me a message like it did but the technical details seem wrong. Someone else will know better than I do how it should be phrased. Whether bug 583191 is related is unclear to me.

Comment 1

3 years ago
I got the same result. But your website looks hosted on a web hosting service, this is probably normal. It serves multiple Web sites, including some HTTPS sites with certificate at same ip.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Component: File Handling → General
OS: Linux → All
Resolution: --- → INVALID
(Reporter)

Comment 2

3 years ago
Yes, but the problem is not in the result but in the reason stated. It says the certificate is invalid when it should say that there is no certificate and it implies a wildcard certificate was found when it's unlikely the host has a wildcard certificate, since the host requires acquisition of a separate certificate for each subdomain a customer wants to cover (all, again, as of 12-31-15). So this is a phrasing or user interface problem. Should this be reopened?
(Reporter)

Comment 3

3 years ago
Since I retested and reproduced the problem in the last few days in version 43.0, I'm updating the version menu in this report, while reopening is pending.
Version: 38 Branch → 43 Branch

Comment 4

3 years ago
I think that the wording is no question, the certificate is not valid *for the site*, it omits some narrative.

original text: "cold32.com uses an invalid security certificate. The certificate is only valid for *.nfshost.com"
Severity: normal → trivial
Status: RESOLVED → UNCONFIRMED
Component: General → Security: UI
Product: Firefox → Core
Resolution: INVALID → ---

Comment 5

2 years ago
Hi,

Thanks for filing the report.

https://cold32.com/ does in fact send a certificate - one that's valid for *.nfshosts.com. If you feel inclined, you can check this via software such as Wireshark.

I suspect your hosting provider simply uses this cert by default for sites that haven't applied for certs.

Since it's impossible to tell whether something like your situation is happening or an attack is occurring, I don't think there's anything we can do here.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago2 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

2 years ago
My error. I checked with my host. They said there's no error but pointed out an error of mine, and I confirmed it in my .htaccess file and corrected it, resulting in a more specific certificate reference from Firefox.

However, when I just tested HTTPS access (https://cold32.com/), I got this from Firefox: "The owner of cold32.com has configured their website improperly." No, I didn't; I configured it properly, but it doesn't support HTTPS and doesn't have to, so my configuration is not improper. The rest of Firefox's response is okay, such as in listing a specific certificate, but I'd rephrase to "The owner of cold32.com has configured their website without HTTPS security support." The rest of Firefox's page would continue to make sense with this rephrasing.

I'll leave the status up to you.
Summary: HTTPS untrusted-connection message seems erroneous → HTTPS Insecure Connection message misphrased
(Assignee)

Updated

2 years ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.