Invalid certificate risk can be accepted on HSTS site
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: mozillaorg-f6mly5x6kj, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Steps to reproduce:
- visit https://www.mozilla.org to prime HSTS cache
- close browser
- verify SiteSecurityServiceState.txt contains www.mozilla.org
www.google.com^firstPartyDomain=google-b-d.search.suggestions.mozilla:HSTS 0 18751 1651659557572,1,0,2
incoming.telemetry.mozilla.org:HSTS 0 18751 1635891819359,1,0,2
www.firefox.com^partitionKey=%28http%2Cmozilla.org%29:HSTS 0 18751 1651659179265,1,0,2
www.mozilla.org^partitionKey=%28http%2Cmozilla.org%29:HSTS 0 18751 1635848051108,1,1,2
aus5.mozilla.org:HSTS 0 18751 1651659747838,1,0,2 - edit hosts file to contain the following line
8.8.8.8 www.mozilla.org - open firefox
- visit https://www.mozilla.org/ (optionally refresh to ensure it's not loaded from cache)
- see Error code: SSL_ERROR_BAD_CERT_DOMAIN
Actual results:
The browser allows me to ignore the invalid certificate and "accept the risk".
Expected results:
On certificate errors with HSTS cached the browser should not allow the user to "accept the risk" as per https://tools.ietf.org/html/rfc6797#section-12.1.
This was also how I experienced this previously in Firefox.
Reporter | ||
Updated•3 years ago
|
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Reporter | ||
Comment 2•3 years ago
|
||
Just tested a few older versions, this seems to be a regression since 85.0.
In 84.0.2 this works for me as expected, starting in 85.0 the behavior described above happens.
Reporter | ||
Comment 3•3 years ago
|
||
Updated•3 years ago
|
Description
•