Closed Bug 251472 Opened 21 years ago Closed 21 years ago

URL bar can falsely show certificate as being valid for the site

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: raccettura, Assigned: bugzilla)

References

(
URL
)

Details

Attachments

(2 files)

Loading first page of site
41.60 KB, image/gif
Details
Second page in a tab
49.49 KB, image/gif
Details
I stumbled upon a somewhat dirty trick: Start your browser and visit: https://robert.accettura.com You'll get that notice that the cert doesn't match the server. It shows with a lock with a line through it... all is good. Now open a new tab, and copy/paste the following URL in: https://robert.accettura.com/gallery You don't get a notification that the cert doesn't match the server *but* it shows the icon as a normal healthy icon. It should still show the icon with a '/' through it, since it's the same site, and same server... they don't match. Screenshots forthcoming.
Attached image Second page in a tab
I can confirm with another way to show the problem. If you get \gallery\ with the slashed icon, do a Ctrl+R (Reload) and the slashed lock will change to the normal one.
The certificate not matching produces the warning, but lock with the slash through doesn't indicate anything about that. The lock with the slash through is because it's a secure page which has content (images) loaded from an insecure location (some of the little buttons for blogshares and stuff). The gallery page is all loaded from the secure server, so it's correct that it has a full lock (and it gets the full lock if you just go straight to it). The difference is between the content of the two pages - it's not the cert. I think this is invalid.
To quote the Mozilla help page: "A broken lock means that some or all of the elements within the page were not protected by encryption when the page was received, even though the outermost HTML page was encrypted." Once you say OK to the domain name mismatch on the certificate, that cert is trusted until the browser is restarted. Marking invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: