Closed Bug 303952 Opened 16 years ago Closed 16 years ago

Security Error domain name mismatch is NOT an error if it's localhost. (SSH tunnel)


(Core Graveyard :: Security: UI, defect)

1.7 Branch
Not set


(Not tracked)



(Reporter: rn214, Assigned: KaiE)


User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322

I just got this error message:

"Security error: Domain Name mismatch: You have attempted to establish a
connection with localhost. However the security certificate presented belongs to
"". It is possible that someone may be trying to intercept
your communication with this website...."

Fair enough, except that this is only occurring because I am using SSH port
forwarding via an untrusted WIFI network - thus I have told mozilla to talk to
localhost, and my SSH tunnel is connecting to the mailserver. (And so Mozilla
sees localhost with my mailserver's certificate - and complains).

Unfortunately, there's no way to work around it, and I get this message every
time I send mail, or when Moz checks for mail. And if it happens in a background
window, Moz just freezes until I find and dismiss it.

Reproducible: Always

Steps to Reproduce:
Set Mozilla up to send mail to: localhost:8025

Then, set up an ssh tunnel:


Can send mail, but Moz *always* complains.

Expected Results:  
I'd like an option to ignore security errors that result from localhost. Or
alternatively, a "don't ask me again" option for certain server/certificate
An ignore function is wontfix according to bug 205677 but Mozilla should only 
complain once per session.
Do you get this every time or once per session ?
Assignee: dveditz → kaie.bugs
Component: Security → Security: UI
Product: Mozilla Application Suite → Core
QA Contact: seamonkey
Version: unspecified → 1.7 Branch
Unfortunately, I get this every time - every time I send messages, and worse,
every time (ever 5 mins) when moz checks for mail, which causes the web-browser
to inexplicably hang until I find - and dismiss - the warning in a different window.

I can see the point about wontfixing the ignore, but presumably localhost could
be an exception? There is no way that anyone could create a man-in-the-middle
attack via localhost unless the localhost machine itself is compromised (in
which case you have bigger problems). Furthermore, anyone who is checking mail
on localhost probably knows what they are doing...
If we gave a free pass to localhost then you'd be vulnerable to someone
redirecting traffic to

A workaround on your end would be to put in your hosts file
as an alias for localhost and then leave your mail settings pointed at

If your mailserver already uses SSL (otherwise you wouldn't get the cert
mismatch warning) then why do you need to tunnel over ssh?
Thank you for your reply. (#3). Your workaround (editing /etc/hosts) is a good

As for why I need to tunnel the connections:
a)Not all mailservers (I have several accounts) are using SSL
[b)From a privacy perspective, it's desirable not to leak any information,
including the address of the mailserver itself. This way, I only need to
identify a single machine.]

> If we gave a free pass to localhost then you'd be vulnerable to someone
> redirecting traffic to

I'm not sure I understand this. Surely, in order to be vulnerable to this, I'd
already have to have a compromised localhost? And at that point, anything could
happen (eg keystroke logging, TCP/IP redirection,copying etc) 
IMHO we should not treat localhost different than other mismatches.

However, you might be interested in the discussion in bug 228684 which asks for a mechanism to permanently remember allowed mismatches.
Closed: 16 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.