Closed Bug 1617987 Opened 4 years ago Closed 4 years ago

https://magmalabs.io redirects to https://www.magmalabs.io in Chrome but not Firefox [SSLCommonNameMismatchHandling]

Categories

(Firefox :: Security, defect, P2)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 80
Project Flags:
Webcompat Priority ?
Tracking Flags:
Tracking Status
firefox75 --- wontfix
firefox80 --- verified

People

(Reporter: cpeterson, Assigned: prathiksha)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: parity-chrome)

Attachments

(1 file)

Bug 1617987 - Fix URLs by prefixing www. when users encounter bad cert domain errors.
47 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce

  1. Load https://magmalabs.io/

Expected results

https://magmalabs.io/ should redirect to https://www.magmalabs.io/ like Chrome does using its SSLCommonNameMismatchHandling heuristics. Here is a 2016 blog post about Chrome's SSLCommonNameMismatchHandling:

https://medium.com/servertastic/chrome-testing-https-redirect-when-certificate-hostname-is-invalid-925f0974c72b

Actual results

https://magmalabs.io/ produces a TLS error in Firefox (and Safari and IE11):

Nightly does not trust this site because it uses a certificate that is not valid for magmalabs.io. The certificate is only valid for the following names: m.magmalabs.io, www.magmalabs.io

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Firefox, Safari, and IE11 seem to be making a more conservative security stance here than Chrome, but this could be a webcompat problem for Firefox.

B.J. Herbison debugged in Chrome a bit and wrote:

I opened up the Network panel in https://magmalabs.io/ and saw a request for magmalabs.io appear in red with the message Failed, and then it loaded www.magmalabs.io and went on--and it cleared the previous entries as it does when it starts the display of a new page. So it gives up quickly, tries an alternative, and doesn't report the original error to the user.

Actually, going back to the console I find this:

Redirecting navigation magmalabs.io -> www.magmalabs.io because the server presented a certificate valid for www.magmalabs.io but not for magmalabs.io. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling

Chrome compat issue

Webcompat Priority: --- → ?
Keywords: parity-chrome
Component: Networking: HTTP → Security: PSM

PSM probably isn't the right place for this bug - this is a decision that needs to happen at a higher level.

Component: Security: PSM → Security
Product: Core → Firefox

I'm in favor of this. I can try to figure out if we have any objections internally, though.

Priority: -- → P2

Probably worth investigating what other HTTPS error heuristics Chrome may have implemented.

https://cs.chromium.org/chromium/src/components/security_interstitials/content/ssl_error_assistant.h

About 10M unique users experience a SSL_ERROR_BAD_CERT_DOMAIN error every month: https://sql.telemetry.mozilla.org/queries/70045/source#176450
These 10M users generate 78M SSL_ERROR_BAD_CERT_DOMAIN error page displays in a month: https://sql.telemetry.mozilla.org/queries/70046/source

This seems to be a great churn reduction opportunity, if there are no reasons not to do this it sounds like something we should prioritize to help users access the content they want and avoid seeing them churn.

As per discussion with the crypto eng team I'll take a look at this and figure out at which layer we should do the redirection...

Flags: needinfo?(jhofmann)

It looks like the only heuristic Chrome uses is the www. one. I think. The broader list of error heuristics from Comment 4 is for stuff like known MITM certs, a bad clock, captive portals etc. (Which are still valuable, just much more expansive.)

Assignee: nobody → prathikshaprasadsuman
Status: NEW → ASSIGNED

Please note that we'd initially like to ship this as an A/B test to measure the retention impact this brings so can we please implement behind a pref?

(In reply to Romain Testard [:RT] from comment #8)

Please note that we'd initially like to ship this as an A/B test to measure the retention impact this brings so can we please implement behind a pref?

Sure, I can implement it behind a pref.

Pushed by prathikshaprasadsuman@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8256833f2993
Fix URLs by prefixing www. when users encounter bad cert domain errors. r=nika,keeler

https://hg.mozilla.org/mozilla-central/rev/8256833f2993

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 80
Regressions: 1653839
Regressions: 1653967
Flags: qe-verify?
Flags: qe-verify? → qe-verify+

Reproduced with Fx 75.0a1 on Windows 10.
Verified fixed with Fx 81.0a1 (2020-08-06) and Fx 80.0b4 with Windows 10 and Ubuntu 18.04.

Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
Flags: qe-verify+
Flags: needinfo?(jhofmann)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: