Closed Bug 251472 Opened 20 years ago Closed 20 years ago

URL bar can falsely show certificate as being valid for the site

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: raccettura, Assigned: bugzilla)

References

(
URL
)

Details

Attachments

(2 files)

Loading first page of site
41.60 KB, image/gif
Details
Second page in a tab
49.49 KB, image/gif
Details 
I stumbled upon a somewhat dirty trick:

Start your browser and visit:
https://robert.accettura.com

You'll get that notice that the cert doesn't match the server.  It shows with a
lock with a line through it... all is good.

Now open a new tab, and copy/paste the following URL in:
https://robert.accettura.com/gallery

You don't get a notification that the cert doesn't match the server *but* it
shows the icon as a normal healthy icon.

It should still show the icon with a '/' through it, since it's the same site,
and same server... they don't match.


Screenshots forthcoming.
Attached image Second page in a tab 

    
    

    
  
I can confirm with another way to show the problem.
If you get \gallery\ with the slashed icon, do a Ctrl+R (Reload) and the slashed
lock will change to the normal one.

    
    

    
  
The certificate not matching produces the warning, but lock with the slash
through doesn't indicate anything about that.  The lock with the slash through
is because it's a secure page which has content (images) loaded from an insecure
location (some of the little buttons for blogshares and stuff).

The gallery page is all loaded from the secure server, so it's correct that it
has a full lock (and it gets the full lock if you just go straight to it).

The difference is between the content of the two pages - it's not the cert.

I think this is invalid.

    
    

    
  
To quote the Mozilla help page: "A broken lock means that some or all of the
elements within the page were not protected by encryption when the page was
received, even though the outermost HTML page was encrypted."

Once you say OK to the domain name mismatch on the certificate, that cert is
trusted until the browser is restarted.

Marking invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: