Closed Bug 211934 Opened 22 years ago Closed 22 years ago

Misleading URL line with SSL obscures identity of rogue server - active exploits ongoing

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 122445

People

(Reporter: erik, Assigned: security-bugs)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529 Got this URL in a text mail. When I pasted it into the URL line it appeared I was connected to the www.e-gold.com site and the SSL lock icon was active, but in fact I was connected to a completely different server. The web page that you are really connected to has been taken down now, so you can't see the effect any more. This is an obvious security problem, esp. since the link was sent to me in an explicit attempt to get my password. I guess it's a problem with the ac= stuff, but that is very non-obvious to an end-user. See also http://www.imakenews.com/emailresults/e_article000097314.cfm which describes an older version of the scam where the URL line was clearly wrong. Here it looks almost correct (you have to spot that there is no slash after ".com"). Reproducible: Always Steps to Reproduce: 1. 2. 3. Expected Results: Alerted the user, perhaps rewritten the URL line.
The Security Icon is correct because you are connected to an https server. For the main problem : We have a release notes entry for that. Please read the release notes before you file a bug ! General Browser Issues When browsing with many tabs open (more than 25), some tabs may stop responding. Workaround: use multiple browser windows. If a username or password is embedded into a URI in the form of http://username:password@sitename.com. Mozilla will not warn the user of this when the user follows the link. URI's with long usernames in the form of http://www.mozilla.org%2084230482304982304329048230948@fraudsite.com could deceive users into thinking they were going to mozilla.org when they were really going to fraudsite.com. (Bug 122445) *** This bug has been marked as a duplicate of 122445 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
VERIFIED/dupe: this sound extra-problematic, because if the server has a cert that is in the root CA, then no warning will appear, since the hostname does match the cert values.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.