Accepting non-URL cert leads to 'status bar' confusion about domain name and CA statements




13 years ago
13 years ago


(Reporter: Ian Grigg, Unassigned)


Firefox Tracking Flags

(Not tracked)





13 years ago
User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.4; FreeBSD) KHTML/3.4.0 (like Gecko)
Build Identifier: 

When Firefox goes to a site that presents the wrong cert (as for example with a  
VHosts setup), Firefox detects that the cert is incorrect for this URL and  
indicates it is wrong with a popup dialog. The user then clicks through and 
accepts it (knowing that the cert is acceptable for this domain), so https is 
opened up on the site.  Then, two issues occur.  
In the status bar indicator (bottom right) instead of displaying the details  
about the certificate that is in use, it displays the host name that is in the  
Further, a mouse-over displays "Signed by ThisCA" where ThisCA is the CA that 
signed the original cert. 
The ideal statement would be something like " as signed by  
ThisCA." as that reflects the information in the certificate that the SSL is  
based upon.  

Reproducible: Always

Steps to Reproduce:
1.  Find a web server that does multiple SSL sites on one IP. 
2.  Go to one of the secondary web sites. 
3.  Click on OK when the warning occurs. 
4.  Examine the status bar. 
Actual Results:  
a. status bar shows the domain of the URL, not the domain in the cert. 
b. mouse-over shows "Signed by ThisCA" where the CA is taken from the cert and 
there is no cert for the URL that is applicable. 

Expected Results:  
The status bar should display the domain name taken from the cert (perhaps as  
modified to wildcard processing), and should list the CA, perhaps as done with  
the mouse-over. 
If any of these things are wrong, then these should not be listed.  It may be  
possible for the user to override the browser's protections, but it should not  
be possible for the browser then to make incorrect certificate statements about  
SSL connections, especially where PKI is used to authorise the connections. 

Any statement made should be true.  So if a statement about a CA is made it       
must reflect the domain in the cert;  anything else would be to challenge the 
use of PKI if a certificate was in use.  Under PKI assumptions, stating that a      
domain is connected to under SSL is only valid when the certificate names that      
domain.  Anything else must be treated as a potential attack, and even if the      
user instructs the browser to go ahead, the browser should not present false      
statements such as that there is a valid SSL session _to another domain_ in      
IOW, even if the user overrides, the browser should fall back to displays and 
statements akin to self-signed certificates.      
The status bar indicator should operate as an independent check as distinct 
from the URL bar.  The status bar should say "this is what you got" and the URL 
bar should say "this is what you wanted."  Especially, when there is lots of 
URL processing, the cert information should be kept clean and honest.

*** This bug has been marked as a duplicate of 254745 ***
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.