Closed Bug 1417440 Opened 7 years ago Closed 7 years ago

Firefox should automatically try https://<site> when https://www.<site> fails (e.g. certificate error), and the opposite should also be present

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: 92kxul+f8pn69s8ppee8, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20100101

Steps to reproduce:

Go to https://www.catbox.moe


Actual results:

It gave me an invalid certificate error page


Expected results:

Firefox should also try to connect to https://catbox.moe when https://www.catbox.moe failed, and then redirect to it, just like Chromium does:  https://www.browserling.com/browse/win/7/chrome/61/https%3A%2F%2Fwww.catbox.moe%2F
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Patrick might have some idea
Flags: needinfo?(mcmanus)
seems to me we're doing the right thing. let me look into it.
Flags: needinfo?(mcmanus)
Our Chrome twitter friends were happy to shed some light.. see below. tl;dr this is some unspeced uri fixup logic in Chrome covering up the bad cert on https://www.catbox.moe while firefox shows the base error that cert does have.

OP: I'm not sure if you're the admin of catbox.moe or not, if you are I'm confident the chrome team would agree the best fix would be to just fix your LE Cert to have both names.

My opinion here is WONTFIX, but this should really be something for security engineering to decide. So I'll forward it on.

these links will help:

https://twitter.com/mcmanusducksong/status/931082336623398914

look under end-user-magic here https://textslashplain.com/2017/03/01/the-trouble-with-magic/

especially https://twitter.com/sleevi_/status/931187914196881408

and https://twitter.com/estark37/status/931190708936962048
Component: Networking: HTTP → Security
Flags: needinfo?(tanvi)
(In reply to Patrick McManus [:mcmanus] from comment #3)
> OP: I'm not sure if you're the admin of catbox.moe or not, if you are I'm
> confident the chrome team would agree the best fix would be to just fix your
> LE Cert to have both names.

I'm not the admin of that website, I was just making a ruleset for HTTPS Everywhere and noticed that behavior with Chromium. https://github.com/EFForg/https-everywhere/pull/13578 We normally add rules like <rule from="^http://www\.catbox\.moe/" to="https://catbox.moe/" /> to deal with such cases.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
If we get a cert error, could we try the www version in the background?  And provide the users a link to it in the error page, as Emily hints at on twitter?

Adding JC for thoughts.
Flags: needinfo?(tanvi) → needinfo?(jjones)
I'm with Ryan Sleevi on this [1]. It's not good for the ecosystem to have such a kludge, and I'm sad that Chrome has it today.

I think this should stay WONTFIX, and hopefully Chrome will issue an intent-to-deprecate for their behavior.

[1] https://twitter.com/sleevi_/status/931186229244252160
Flags: needinfo?(jjones)
(In reply to J.C. Jones [:jcj] from comment #6)
> I'm with Ryan Sleevi on this [1]. It's not good for the ecosystem to have
> such a kludge, and I'm sad that Chrome has it today.

I'm not proposing we do it automatically.  User will still get the cert error page.  They will just have a way to get around it.  So they will experience poor UX instead of horrible UX.
You need to log in before you can comment on or make changes to this bug.