Closed Bug 1261680 Opened 9 years ago Closed 9 years ago

SSL_ERROR_BAD_CERT_DOMAIN for www.unicredit.it but the certificate is correct

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
48 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1261919
Tracking Flags:
Tracking Status
firefox48 --- fix-optional

People

(Reporter: flod, Unassigned)

References

Details

(Keywords: regression)

Today I tried to open my bank's website on Nightly 48.0a1 (2016-04-03) and got a certificate error: https://www.unicredit.it/ Reported error is: SSL_ERROR_BAD_CERT_DOMAIN. The domain is valid only for 'www.unicredit.it' but that's exactly the domain I'm on. The same website works fine on Developer Edition (47.0a2 (2016-04-03)) or Chrome. It definitely used to work until 2-3 days ago, can't be completely sure on the dates because of the suspended updates. Other websites work just fine, so I'm not sure what's wrong with this specific website.
This is weird: I'm still getting the error on an iMac (even on different profiles), same version works fine on a MacBook Air, both running OS X 10.11.4 (15E65)
(In reply to Francesco Lodolo [:flod] from comment #1) > This is weird: I'm still getting the error on an iMac (even on different > profiles), same version works fine on a MacBook Air, both running OS X > 10.11.4 (15E65) Now getting the error on the Air too (tried a clean profile, and hard refresh on the existing profile). On the Air I tried loading the website with 48.0a1 (2016-04-02) and it did work. On Windows and Linux I still have 2016-04-02 and the website loads without errors.
@David Is this a known/expected fall-out of bug 1245280?
Flags: needinfo?(dkeeler)
Essentially, yes. It turns out the issuing CA frequently misissues certificates with this problem, so I filed bug 1261919 to reach out to them so they can fix their issuing practices.
Flags: needinfo?(dkeeler)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #5) > Essentially, yes. It turns out the issuing CA frequently misissues > certificates with this problem, so I filed bug 1261919 to reach out to them > so they can fix their issuing practices. Do we have any telemetry data about how many websites have this issue? Unicredit is in the top 30 banks in the world by assets according to stats, it's kind of scary, especially if other browsers don't adopt the same behavior. Also the error message we're showing in Firefox is really unhelpful: "I'm not going to show you X because this website is valid only for the domain X".
http://mzl.la/1UQQGgt indicates it's ~.02% of connections (bucket 1). The patch in bug 1245280 was designed so that prerelease channels will see the error but release channels will only see the error for "new" certificates (issued after August 23, 2016). I agree the error message is unhelpful and misleading. I filed bug 1261936 to fix it.
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7) > http://mzl.la/1UQQGgt indicates it's ~.02% of connections (bucket 1). The > patch in bug 1245280 was designed so that prerelease channels will see the > error but release channels will only see the error for "new" certificates > (issued after August 23, 2016). Thanks for the explanation (and this is a lot more reassuring).
re comment #6: Chrome is looking to adopt the same behaviour shortly (likely next week; too close to a branch point). Whttps://bugs.chromium.org/p/chromium/issues/detail?id=308330 is the overall tracking bug. e're looking at enforcing it for all certificates (not just "new" certificates)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Dealing with this in the original bug.
status-firefox48: affectedfix-optional
You need to log in before you can comment on or make changes to this bug.