Closed
Bug 1278053
Opened 9 years ago
Closed 9 years ago
Visit site anyway allows to load any domains if same invalid certificate is used.
Categories
(Firefox for iOS :: Browser, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sdna.muneaki.nishimura, Assigned: bnicholson)
Details
(Keywords: reporter-external, sec-high)
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36
Steps to reproduce:
Following two web sites use same *invalid* certificate that CN is Akamai.
https://us.playstation.com/
https://www.forbes.com/
Opens https://us.playstation.com/ and taps "Visit site anyway" in certificate error page.
Actual results:
Firefox for iOS allows to load not only us.playstation.com but also https://www.forbes.com/ .
Suppose an attacker does MITM for all web https origins and if same flaud certificate is used, Firefox shows warning only for the first accessed domain but any successive web sites are automatically allowed to load.
This reason is that ErrorPageHelper registers permitted certificate to the certStore without accepted domain name.
https://github.com/mozilla/firefox-ios/blob/78df359fd64aa7fc98bb2e1e7f65863c434fd3bb/Client/Frontend/Browser/ErrorPageHelper.swift#L294
Expected results:
"Visit site anyway" should be applied to the domain user permitted.
|
Reporter | |
Comment 1•9 years ago
|
||
Note that Safari and Chrome for iOS correctly blocks each invalid https host even if same certificate is used.
|
||
Comment 2•9 years ago
|
||
Brian, looks like your code. Can you take a look?
Flags: needinfo?(bnicholson)
Keywords: sec-high
|
Assignee | |
Comment 3•9 years ago
|
||
Good catch. Yes, I'll fix this right away.
Assignee: nobody → bnicholson
Status: NEW → ASSIGNED
Flags: needinfo?(bnicholson)
|
|
Assignee | |
Comment 4•9 years ago
|
||
Attachment #8761764 -
Flags: review?(sarentz)
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8761764 [details] [review]
Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1905
Looks good. Do you think this we can create a unit test for this? Or maybe just for the lookup logic?
Attachment #8761764 -
Flags: review?(sarentz) → review+
|
|
||
Updated•9 years ago
|
Whiteboard: [needsuplift]
|
|
||
Comment 6•9 years ago
|
||
Marked as needsuplift, but I don't know if sleroux will see this bug since he has no secure bug privs? I'll cc him anyway.
|
|
Assignee | |
Comment 7•9 years ago
|
||
(In reply to Stefan Arentz [:st3fan] from comment #5)
> Comment on attachment 8761764 [details] [review]
> Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1905
>
> Looks good. Do you think this we can create a unit test for this? Or maybe
> just for the lookup logic?
Thanks for the reminder -- we already have CertTests, so I updated it with origin support.
|
|
Assignee | |
Comment 8•9 years ago
|
||
master: https://github.com/mozilla/firefox-ios/commit/35c48006eddfa1f626801c1a6ac530b3e3bd51f5
v5.x: 1711054
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-fxios-v5.0:
--- → fixed
status-fxios-v6.0:
--- → fixed
tracking-fxios:
--- → 5.0+
Resolution: --- → FIXED
Whiteboard: [needsuplift]
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•