274700 - misleading certificate host when domain mismatch

Status: RESOLVED DUPLICATE of bug 276533

(Core Graveyard :: Security: UI, defect)

Description

[Ralf Hauser]

Comment 1

[Ralf Hauser]

Attachment: domainMismatch.png

the correct URL of the site is https://bugs.privasphere.com:8443
When I open instead another site with the same certificate
(https://calimero.interway.ch:8443), initially, I get warned that there is a
domain mismatch, but then
in 0) 
- not the hostname of the certificate, but the one I opened for browsing is
shown
- there is not indication that there is a problem here ==> I would expect some
red exclamation mark that warns me about the domain mismatch and
double-clicking on it would bring back the original warning window
in 1) 
- the text again cites the hostname used and not the one in the certificate
- nor does it mention the problem with the domain-name-mismatch
- also "supports authentication of the page you are viewing": - as long as OCSP
is deactivated by default - this is quite misleading: The proper definition of
authentication includes "freshness" which is not given here (the cert in my
example is even expired - another reason for a red exlamation mark)! - better
would probably be to say "The website ... established an encrypted channel with
your browser" ...

Comment 2

[Jean-Marc Desperrier]

So two different problems here :

- *After* you've confirmed that you want to connect to the site despite an
invalid certificate, the security tab of the page info window will not remember
and list the problems there truly is with this page.

- The text in the security tab uses the word 'authentication' in a way you
consider improper. You suggest the reword it.

Comment 3

[Jean-Marc Desperrier]

I'll dupe this against bug 276533. 
This is really the same issue, the only differences are details about what to
change to handle this, and this is up to whoever decides to actually implement a
change.

*** This bug has been marked as a duplicate of 276533 ***