strange redirection to 123secu.com
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: epistemepromeneur, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Steps to reproduce:
openSuse 15.3
I click on "Site web"
firefox says this site is not secured by https.
I keep on going
cafedulevant.fr is displayed.
I browse several pages of this site.
I quit Firefox.
Later I want to go back to this site.
I launch FF, I type "cafedulevant.fr"
FF said that the certificate is not valid. I answered to keep going.
Actual results:
The site "123secu.com" is displayed instead of "cafedulevant.fr"
What is this site ?
Expected results:
The site "cafedulevant.fr" is displayed.
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•3 years ago
|
||
The web server is probably misconfigured. What happens if you go to http://cafedulevant.fr not https://cafedulevant.fr?
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #2)
The web server is probably misconfigured. What happens if you go to
http://cafedulevant.frnothttps://cafedulevant.fr?
"cafedulevant.fr" is well displayed.
|
|
||
Comment 5•3 years ago
|
||
In Chrome, are you visiting http://cafedulevant.fr or https://cafedulevant.fr?
In Chrome i just type "cafedulevant.fr".
|
|
||
Comment 7•3 years ago
|
||
When the site loads, does the url bar show a lock icon or a "not secure" indicator?
In Chrome there is no lock but a message saying "not secured".
The problem with Chrome or FF is now that I made several experiments, they are not in the same state as when the first time I go to "cafedulevant.fr".
The two browsers go directly to "http://cafedulevant.fr" directly without any message and problem.
The first time with Chrome I go to "cafedulevant.fr" there were no message and no problem in the contrary of FF.
|
|
||
Comment 9•3 years ago
|
||
What you described in comment 0 sounds like https-only mode.
|
Reporter | |
Comment 10•3 years ago
|
||
Yes FF mode is "https only mode"
|
|
Reporter | |
Comment 11•3 years ago
|
||
Thinking about this problem, I remember that I get a warning for some sites, saying "this site has no https" then FF connects to the site with https !
|
||
Comment 12•3 years ago
|
||
The "strange redirection" is user error, not a bug. I'm going to first explain that (and how to fix it), then write a separate comment about what might be worth investigating as a Firefox bug
I launch FF, I type "cafedulevant.fr"
FF said that the certificate is not valid. I answered to keep going.
Actual results:
The site "123secu.com" is displayed instead of "cafedulevant.fr"What is this site ?
Because of https-only mode "cafedulevant.fr" turned into "https://cafedulevant.fr". That domain is hosted on a shared server with lots of sites, but the certificate is only valid for some of them. In the quote from comment 0 above I highlighted where things went wrong. In order to "keep going" you had to click the "Advanced" button, ignore the wall of text, and click "Accept the Risk and Continue". This is the risk -- that you don't end up on the site you wanted.
I've highlighted some relevant bits from the advanced details text:
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for cafedulevant.fr. The certificate is only valid for the following names: 123secu.com, artiday.com, artiday.fr, azimuts.online, exotic-fishing.fr, kitouni.com, lavaletteperigord.com, sigoules.lewebfrancais.fr, valeriebrand.com, vigneronsdesigoules.com, www.123secu.com, www.artiday.com, www.artiday.fr, www.azimuts.online, www.exotic-fishing.fr, www.kitouni.com, www.lavaletteperigord.com, www.valeriebrand.com, www.vigneronsdesigoules.com
A list of miscellaneous names like that is a clear mark of shared hosting. I don't know what server software that site is using, but it appears you accessed the virtual host requesting an origin (https://cafedulevant.fr) that didn't exist on the HTTPS portion of the server so it just picked one for you. I can reproduce getting 123secu.com when I follow your steps, and it's probably not coincidental that it's the first host listed in the certificate.
Nothing nefarious, just virtual hosting software passing you off to its default site when it couldn't figure out what you were asking for.
To remove this exception open Firefox's Settings (about:preferences), Click on the "Privacy & Security" heading on the left, scroll near the bottom (just about HTTPS-only) where you should find a "View Certificates..." button. Click that button, then on "Servers" (the 4th tab if yours is in French). Click on the "cafedulevant.fr" line, click "Delete..." and then OK then next dialog. You can close settings. Because of connection caching you may still see this behavior until you restart Firefox if you've loaded the site in the current session.
|
|
||
Comment 13•3 years ago
|
||
START HERE
Here's the part that intrigues me as a possible Firefox bug in https-only, but I can't reproduce it unless I do a variation on what you said.
from comment 0 again (with commentary in italics)
from https://www.tripadvisor.fr/Restaurant_Review-g187079-d5986567-Reviews-Cafe_du_Levant-Bordeaux_Gironde_Nouvelle_Aquitaine.html
I click on "Site web"
firefox says this site is not secured by https.
I keep on going [this creates a temporary https-only override for this site]
[the http: version of] cafedulevant.fr is displayed.
You followed a web page link and https-only is working as intended
I quit Firefox. [this resets any temporary https-only overrides]
I launch FF, I type "cafedulevant.fr"
FF said that the certificate is not valid
I can't reproduce that. When I type "cafedulevant.fr" (no scheme!!) the https-only kicks in and I get the same behavior you got clicking the link from tripadvisor (this is the expected behavior).
If instead I explicitly type "https://cafedulevant.fr" then I do get the certificate error -- which is also expected!. I explicitly asked for the secure site and Firefox will tell me it can't do that, but it's not going to try to talk me into using an insecure site. If I've asked for an insecure site then https-only will try to make it secure if it can, but if it can't it'll drop back to what you originally asked for.
My questions for you are:
- did you misremember, and you really typed "https://cafedulevant.fr" with the https scheme?
- is there something else upgrading requests from the address bar before https-only gets it? That could be an add-on (check about:support), or maybe some tweak Suse makes to their version of Firefox (you didn't say whether you use Firefox downloaded from Mozilla's site, or the one from openSuse).
|
|
Reporter | |
Comment 14•3 years ago
|
||
did you misremember, and you really typed "https://cafedulevant.fr" with the https scheme?
I don't remember.
I will try again the experiment
|
|
Reporter | |
Comment 15•3 years ago
|
||
Thanks for all the explanations. I understand better the problem.
|
|
Reporter | |
Comment 16•3 years ago
|
||
After deleted all about the certificat of cafedulevant.fr in "ask OCSP..." settings and "http://cafedulevant.f" and "https://cafedulevant.fr" in "https_only" mode settings
i relaunch FF and i type "cafedulevant.fr" then FF goes to "123secure.com"
then
i relaunch FF and i type "https://cafedulevant.fr" then FF goes to "123secure.com"
then
i type "http://cafedulevant.fr" then FF goes to "123secure.com"
then
I disable "https only" mode
then
i type "cafedulevant.fr" then FF goes to "cafedulevant.fr"
There is a true problem with "https only" mode. With it, we can't reach "cafedulevant.fr".
I installed again "https everywhere" and disabled "https only" mode.
|
|
||
Comment 17•3 years ago
|
||
After deleted all about the certificat of cafedulevant.fr in "ask OCSP..." settings and "http://cafedulevant.f" and "https://cafedulevant.fr" in "https_only" mode settings
...
i relaunch FF and i type "https://cafedulevant.fr" then FF goes to "123secure.com"
If you really cleared the right things then you should get a certificate error at this point, with or without https-only mode turned on (because this is already https://). Please get yourself to a state where you get the certificate error page, and do NOT add the exception, before testing https only mode on this site.
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 18•2 years ago
|
||
There is no more problem with the site.
We can close this report.
Description
•