https://magmalabs.io redirects to https://www.magmalabs.io in Chrome but not Firefox [SSLCommonNameMismatchHandling]
Categories
(Firefox :: Security, defect, P2)
Tracking
()
People
(Reporter: cpeterson, Assigned: prathiksha)
References
(Blocks 1 open bug, )
Details
(Keywords: parity-chrome)
Attachments
(1 file)
Steps to reproduce
Expected results
https://magmalabs.io/ should redirect to https://www.magmalabs.io/ like Chrome does using its SSLCommonNameMismatchHandling heuristics. Here is a 2016 blog post about Chrome's SSLCommonNameMismatchHandling:
Actual results
https://magmalabs.io/ produces a TLS error in Firefox (and Safari and IE11):
Nightly does not trust this site because it uses a certificate that is not valid for magmalabs.io. The certificate is only valid for the following names: m.magmalabs.io, www.magmalabs.io
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Firefox, Safari, and IE11 seem to be making a more conservative security stance here than Chrome, but this could be a webcompat problem for Firefox.
B.J. Herbison debugged in Chrome a bit and wrote:
I opened up the Network panel in https://magmalabs.io/ and saw a request for magmalabs.io appear in red with the message Failed, and then it loaded www.magmalabs.io and went on--and it cleared the previous entries as it does when it starts the display of a new page. So it gives up quickly, tries an alternative, and doesn't report the original error to the user.
Actually, going back to the console I find this:
Redirecting navigation magmalabs.io -> www.magmalabs.io because the server presented a certificate valid for www.magmalabs.io but not for magmalabs.io. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
Reporter | ||
Comment 1•4 years ago
|
||
Chrome compat issue
Updated•4 years ago
|
PSM probably isn't the right place for this bug - this is a decision that needs to happen at a higher level.
Comment 3•4 years ago
|
||
I'm in favor of this. I can try to figure out if we have any objections internally, though.
Reporter | ||
Comment 4•4 years ago
|
||
Probably worth investigating what other HTTPS error heuristics Chrome may have implemented.
https://cs.chromium.org/chromium/src/components/security_interstitials/content/ssl_error_assistant.h
Comment 5•4 years ago
|
||
About 10M unique users experience a SSL_ERROR_BAD_CERT_DOMAIN error every month: https://sql.telemetry.mozilla.org/queries/70045/source#176450
These 10M users generate 78M SSL_ERROR_BAD_CERT_DOMAIN error page displays in a month: https://sql.telemetry.mozilla.org/queries/70046/source
This seems to be a great churn reduction opportunity, if there are no reasons not to do this it sounds like something we should prioritize to help users access the content they want and avoid seeing them churn.
Comment 6•4 years ago
|
||
As per discussion with the crypto eng team I'll take a look at this and figure out at which layer we should do the redirection...
Comment 7•4 years ago
•
|
||
It looks like the only heuristic Chrome uses is the www. one. I think. The broader list of error heuristics from Comment 4 is for stuff like known MITM certs, a bad clock, captive portals etc. (Which are still valuable, just much more expansive.)
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 8•4 years ago
|
||
Please note that we'd initially like to ship this as an A/B test to measure the retention impact this brings so can we please implement behind a pref?
Assignee | ||
Comment 9•4 years ago
|
||
(In reply to Romain Testard [:RT] from comment #8)
Please note that we'd initially like to ship this as an A/B test to measure the retention impact this brings so can we please implement behind a pref?
Sure, I can implement it behind a pref.
Assignee | ||
Comment 10•4 years ago
|
||
Comment 11•4 years ago
|
||
Pushed by prathikshaprasadsuman@gmail.com: https://hg.mozilla.org/integration/autoland/rev/8256833f2993 Fix URLs by prefixing www. when users encounter bad cert domain errors. r=nika,keeler
Comment 12•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Reproduced with Fx 75.0a1 on Windows 10.
Verified fixed with Fx 81.0a1 (2020-08-06) and Fx 80.0b4 with Windows 10 and Ubuntu 18.04.
Updated•4 years ago
|
Description
•