Closed Bug 1709302 Opened 2 years ago Closed 2 years ago

Invalid certificate risk can be accepted on HSTS site

Categories

(Core :: Security: PSM, defect)

Firefox 88
Desktop
All
defect

Tracking

()

RESOLVED DUPLICATE of bug 1704843

People

(Reporter: mozillaorg-f6mly5x6kj, Unassigned)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0

Steps to reproduce:

  1. visit https://www.mozilla.org to prime HSTS cache
  2. close browser
  3. verify SiteSecurityServiceState.txt contains www.mozilla.org
    www.google.com^firstPartyDomain=google-b-d.search.suggestions.mozilla:HSTS 0 18751 1651659557572,1,0,2
    incoming.telemetry.mozilla.org:HSTS 0 18751 1635891819359,1,0,2
    www.firefox.com^partitionKey=%28http%2Cmozilla.org%29:HSTS 0 18751 1651659179265,1,0,2
    www.mozilla.org^partitionKey=%28http%2Cmozilla.org%29:HSTS 0 18751 1635848051108,1,1,2
    aus5.mozilla.org:HSTS 0 18751 1651659747838,1,0,2
  4. edit hosts file to contain the following line
    8.8.8.8 www.mozilla.org
  5. open firefox
  6. visit https://www.mozilla.org/ (optionally refresh to ensure it's not loaded from cache)
  7. see Error code: SSL_ERROR_BAD_CERT_DOMAIN

Actual results:

The browser allows me to ignore the invalid certificate and "accept the risk".

Expected results:

On certificate errors with HSTS cached the browser should not allow the user to "accept the risk" as per https://tools.ietf.org/html/rfc6797#section-12.1.
This was also how I experienced this previously in Firefox.

OS: Unspecified → All
Hardware: Unspecified → Desktop

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Just tested a few older versions, this seems to be a regression since 85.0.
In 84.0.2 this works for me as expected, starting in 85.0 the behavior described above happens.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.