Closed
Bug 1417440
Opened 7 years ago
Closed 7 years ago
Firefox should automatically try https://<site> when https://www.<site> fails (e.g. certificate error), and the opposite should also be present
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: 92kxul+f8pn69s8ppee8, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20100101 Steps to reproduce: Go to https://www.catbox.moe Actual results: It gave me an invalid certificate error page Expected results: Firefox should also try to connect to https://catbox.moe when https://www.catbox.moe failed, and then redirect to it, just like Chromium does: https://www.browserling.com/browse/win/7/chrome/61/https%3A%2F%2Fwww.catbox.moe%2F
Updated•7 years ago
|
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Comment 2•7 years ago
|
||
seems to me we're doing the right thing. let me look into it.
Flags: needinfo?(mcmanus)
Comment 3•7 years ago
|
||
Our Chrome twitter friends were happy to shed some light.. see below. tl;dr this is some unspeced uri fixup logic in Chrome covering up the bad cert on https://www.catbox.moe while firefox shows the base error that cert does have. OP: I'm not sure if you're the admin of catbox.moe or not, if you are I'm confident the chrome team would agree the best fix would be to just fix your LE Cert to have both names. My opinion here is WONTFIX, but this should really be something for security engineering to decide. So I'll forward it on. these links will help: https://twitter.com/mcmanusducksong/status/931082336623398914 look under end-user-magic here https://textslashplain.com/2017/03/01/the-trouble-with-magic/ especially https://twitter.com/sleevi_/status/931187914196881408 and https://twitter.com/estark37/status/931190708936962048
Component: Networking: HTTP → Security
Flags: needinfo?(tanvi)
Reporter | ||
Comment 4•7 years ago
|
||
(In reply to Patrick McManus [:mcmanus] from comment #3) > OP: I'm not sure if you're the admin of catbox.moe or not, if you are I'm > confident the chrome team would agree the best fix would be to just fix your > LE Cert to have both names. I'm not the admin of that website, I was just making a ruleset for HTTPS Everywhere and noticed that behavior with Chromium. https://github.com/EFForg/https-everywhere/pull/13578 We normally add rules like <rule from="^http://www\.catbox\.moe/" to="https://catbox.moe/" /> to deal with such cases.
Reporter | ||
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Comment 5•7 years ago
|
||
If we get a cert error, could we try the www version in the background? And provide the users a link to it in the error page, as Emily hints at on twitter? Adding JC for thoughts.
Flags: needinfo?(tanvi) → needinfo?(jjones)
Comment 6•6 years ago
|
||
I'm with Ryan Sleevi on this [1]. It's not good for the ecosystem to have such a kludge, and I'm sad that Chrome has it today. I think this should stay WONTFIX, and hopefully Chrome will issue an intent-to-deprecate for their behavior. [1] https://twitter.com/sleevi_/status/931186229244252160
Flags: needinfo?(jjones)
Comment 7•6 years ago
|
||
(In reply to J.C. Jones [:jcj] from comment #6) > I'm with Ryan Sleevi on this [1]. It's not good for the ecosystem to have > such a kludge, and I'm sad that Chrome has it today. I'm not proposing we do it automatically. User will still get the cert error page. They will just have a way to get around it. So they will experience poor UX instead of horrible UX.
You need to log in
before you can comment on or make changes to this bug.
Description
•