URL bar can falsely show certificate as being valid for the site

RESOLVED INVALID

Status

()

Firefox
General
--
major
RESOLVED INVALID
14 years ago
14 years ago

People

(Reporter: raccettura, Assigned: Blake Ross)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
I stumbled upon a somewhat dirty trick:

Start your browser and visit:
https://robert.accettura.com

You'll get that notice that the cert doesn't match the server.  It shows with a
lock with a line through it... all is good.

Now open a new tab, and copy/paste the following URL in:
https://robert.accettura.com/gallery

You don't get a notification that the cert doesn't match the server *but* it
shows the icon as a normal healthy icon.

It should still show the icon with a '/' through it, since it's the same site,
and same server... they don't match.


Screenshots forthcoming.
(Reporter)

Comment 1

14 years ago
Created attachment 153230 [details]
Loading first page of site
(Reporter)

Comment 2

14 years ago
Created attachment 153231 [details]
Second page in a tab

Comment 3

14 years ago
I can confirm with another way to show the problem.
If you get \gallery\ with the slashed icon, do a Ctrl+R (Reload) and the slashed
lock will change to the normal one.

Comment 4

14 years ago
The certificate not matching produces the warning, but lock with the slash
through doesn't indicate anything about that.  The lock with the slash through
is because it's a secure page which has content (images) loaded from an insecure
location (some of the little buttons for blogshares and stuff).

The gallery page is all loaded from the secure server, so it's correct that it
has a full lock (and it gets the full lock if you just go straight to it).

The difference is between the content of the two pages - it's not the cert.

I think this is invalid.

Comment 5

14 years ago
To quote the Mozilla help page: "A broken lock means that some or all of the
elements within the page were not protected by encryption when the page was
received, even though the outermost HTML page was encrypted."

Once you say OK to the domain name mismatch on the certificate, that cert is
trusted until the browser is restarted.

Marking invalid.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.