SSL_ERROR_BAD_CERT_DOMAIN for www.unicredit.it but the certificate is correct

RESOLVED DUPLICATE of bug 1261919

Status

()

Core
Security: PSM
--
major
RESOLVED DUPLICATE of bug 1261919
2 years ago
2 years ago

People

(Reporter: flod, Unassigned)

Tracking

({regression})

48 Branch
regression
Points:
---

Firefox Tracking Flags

(firefox48 fix-optional)

Details

(Reporter)

Description

2 years ago
Today I tried to open my bank's website on Nightly 48.0a1 (2016-04-03) and got a certificate error:

https://www.unicredit.it/
Reported error is: SSL_ERROR_BAD_CERT_DOMAIN. The domain is valid only for 'www.unicredit.it' but that's exactly the domain I'm on.

The same website works fine on Developer Edition (47.0a2 (2016-04-03)) or Chrome.

It definitely used to work until 2-3 days ago, can't be completely sure on the dates because of the suspended updates. Other websites work just fine, so I'm not sure what's wrong with this specific website.
(Reporter)

Comment 1

2 years ago
This is weird: I'm still getting the error on an iMac (even on different profiles), same version works fine on a MacBook Air, both running OS X 10.11.4 (15E65)
(Reporter)

Comment 2

2 years ago
(In reply to Francesco Lodolo [:flod] from comment #1)
> This is weird: I'm still getting the error on an iMac (even on different
> profiles), same version works fine on a MacBook Air, both running OS X
> 10.11.4 (15E65)

Now getting the error on the Air too (tried a clean profile, and hard refresh on the existing profile). On the Air I tried loading the website with 48.0a1 (2016-04-02) and it did work.

On Windows and Linux I still have 2016-04-02 and the website loads without errors.
(Reporter)

Comment 4

2 years ago
@David
Is this a known/expected fall-out of bug 1245280?
Flags: needinfo?(dkeeler)
Essentially, yes. It turns out the issuing CA frequently misissues certificates with this problem, so I filed bug 1261919 to reach out to them so they can fix their issuing practices.
Flags: needinfo?(dkeeler)
(Reporter)

Comment 6

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #5)
> Essentially, yes. It turns out the issuing CA frequently misissues
> certificates with this problem, so I filed bug 1261919 to reach out to them
> so they can fix their issuing practices.

Do we have any telemetry data about how many websites have this issue? Unicredit is in the top 30 banks in the world by assets according to stats, it's kind of scary, especially if other browsers don't adopt the same behavior.

Also the error message we're showing in Firefox is really unhelpful: "I'm not going to show you X because this website is valid only for the domain X".
http://mzl.la/1UQQGgt indicates it's ~.02% of connections (bucket 1). The patch in bug 1245280 was designed so that prerelease channels will see the error but release channels will only see the error for "new" certificates (issued after August 23, 2016).
I agree the error message is unhelpful and misleading. I filed bug 1261936 to fix it.
(Reporter)

Comment 8

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> http://mzl.la/1UQQGgt indicates it's ~.02% of connections (bucket 1). The
> patch in bug 1245280 was designed so that prerelease channels will see the
> error but release channels will only see the error for "new" certificates
> (issued after August 23, 2016).

Thanks for the explanation (and this is a lot more reassuring).

Comment 9

2 years ago
re comment #6: Chrome is looking to adopt the same behaviour shortly (likely next week; too close to a branch point). Whttps://bugs.chromium.org/p/chromium/issues/detail?id=308330 is the overall tracking bug. e're looking at enforcing it for all certificates (not just "new" certificates)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1261919
Dealing with this in the original bug.
status-firefox48: affected → fix-optional
You need to log in before you can comment on or make changes to this bug.