HTTPS Only Mode - Upgrade error when visiting international Facebook TLDs
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: julianwels, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
105.92 KB,
image/png
|
Details |
Screen Shot 2020-07-08 at 2.43.00 PM.png
When dom.security.https_only_mode is enabled, visiting international top-level domains of Facebook, like facebook.fr, facebook.de or facebook.ca will result in an error-page.
Servers handling requests to these domains are supporting HTTPS but use a certificate that is not valid for these domains. This causes the error SSL_ERROR_BAD_CERT_DOMAIN.
Normally facebook would redirect users from http://facebook.fr/ to https://fr-fr.facebook.com/.
|
||
Comment 1•5 years ago
|
||
I think this is an example of HTTPS Only Mode working correctly. :) An insecure connection could be used to redirect the user to a fake Facebook site and potentially steal a password, so it's good that we show this warning to users.
The best solution would be if Facebook can fix the certificates for these domains.
|
||
Comment 2•5 years ago
|
||
Can we raise this as some kind of webcompat issue to Facebook and other such sites, maybe? While we might be the first to probe these waters, this is clearly where the ecosystem is heading, so they really should plan to do secure redirects from these hosts.
|
|
||
Comment 3•5 years ago
|
||
It's also quite possible that in this particular case, these TLDs are managed by a third-party trademark-management service, and we just need to alert the right folks they need to remember they exist. :)
|
|
||
Comment 4•5 years ago
|
||
|
|
||
Comment 5•5 years ago
|
||
I just noticed that, when HTTPS Only Mode is enabled, entering while facebook.fr shows the HTTPS Only Mode error page, facebook.de shows a much scarier error page (see attached). I wonder if it would be appropriate to make it easier to click through this error, especially in HTTPS Only Mode, which is the actual reason we are stopping the user here.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 6•5 years ago
|
||
I think we'd have to make a whitelist. The error is rather important, as it's saying "you navigated to YourBank, but this server can only prove it is for HonestJamesUsedCarsAndCertificates, which isn't YourBank. Do you want to continue as-if this really is YourBank?" which should indeed be scary.
This should be reasonably easy for Facebook to fix.
|
|
||
Comment 7•5 years ago
•
|
||
I agree that Facebook should fix this error. But according to our telemetry, this error is the most common error seen when HTTPS-Only Mode is enabled.
In the Facebook case are seeing this error only because HTTPS-Only Mode is enabled. With HTTPS-Only Mode disabled, users who enter "facebook.de" (without a scheme) would simply be taken to the HTTP version of facebook.de and the redirect would happen without any warning at all.
I wonder in general if we can distinguish two situations when a user enters "facebook.de" (with no scheme):
- The warning will be seen by every user
- The warning will only be seen in HTTPS-Only Mode
In case (2), it would be ideal if we could show only the HTTPS-Only Mode error page, thereby making it somewhat easier for users to understand that HTTPS Only Mode is responsible, and simpler to click through to their destination (by sending them to the HTTP version of facebook.fr).
To distinguish (1) and (2) we could run an HTTP test request in the background to see if the HTTP version is available. If it is unavailable, or redirects back to the HTTPS version, then we are in case (1); if it is available, then we are in case (2).
|
|
||
Comment 8•5 years ago
|
||
Just to be clear, it would be only a single request, set to not follow redirects, and checking where the redirect would be to?
Seems reasonable to me.
|
||
Comment 9•5 years ago
|
||
My contact at Facebook reports that folks there are working on this, but there's no ETA yet (hopefully soonish).
|
Reporter | |
Comment 11•2 years ago
|
||
Just typed in firefox.fr and firefox.de, and both of them still result in an error page when HTTPS-Only mode is enabled.
Description
•