Closed Bug 296110 Opened 20 years ago Closed 20 years ago

Accepting non-URL cert leads to 'status bar' confusion about domain name and CA statements

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 254745

People

(Reporter: iang, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; FreeBSD) KHTML/3.4.0 (like Gecko) Build Identifier: When Firefox goes to a site that presents the wrong cert (as for example with a VHosts setup), Firefox detects that the cert is incorrect for this URL and indicates it is wrong with a popup dialog. The user then clicks through and accepts it (knowing that the cert is acceptable for this domain), so https is opened up on the site. Then, two issues occur. In the status bar indicator (bottom right) instead of displaying the details about the certificate that is in use, it displays the host name that is in the URL. Further, a mouse-over displays "Signed by ThisCA" where ThisCA is the CA that signed the original cert. The ideal statement would be something like "domain.name.com as signed by ThisCA." as that reflects the information in the certificate that the SSL is based upon. Reproducible: Always Steps to Reproduce: 1. Find a web server that does multiple SSL sites on one IP. 2. Go to one of the secondary web sites. 3. Click on OK when the warning occurs. 4. Examine the status bar. Actual Results: a. status bar shows the domain of the URL, not the domain in the cert. b. mouse-over shows "Signed by ThisCA" where the CA is taken from the cert and there is no cert for the URL that is applicable. Expected Results: The status bar should display the domain name taken from the cert (perhaps as modified to wildcard processing), and should list the CA, perhaps as done with the mouse-over. If any of these things are wrong, then these should not be listed. It may be possible for the user to override the browser's protections, but it should not be possible for the browser then to make incorrect certificate statements about SSL connections, especially where PKI is used to authorise the connections. Any statement made should be true. So if a statement about a CA is made it must reflect the domain in the cert; anything else would be to challenge the use of PKI if a certificate was in use. Under PKI assumptions, stating that a domain is connected to under SSL is only valid when the certificate names that domain. Anything else must be treated as a potential attack, and even if the user instructs the browser to go ahead, the browser should not present false statements such as that there is a valid SSL session _to another domain_ in progress. IOW, even if the user overrides, the browser should fall back to displays and statements akin to self-signed certificates. The status bar indicator should operate as an independent check as distinct from the URL bar. The status bar should say "this is what you got" and the URL bar should say "this is what you wanted." Especially, when there is lots of URL processing, the cert information should be kept clean and honest.
*** This bug has been marked as a duplicate of 254745 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.