303952 - Security Error domain name mismatch is NOT an error if it's localhost. (SSH tunnel)

Status: RESOLVED WONTFIX

(Core Graveyard :: Security: UI, defect)

Description

[Richard Neill]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322

I just got this error message:

"Security error: Domain Name mismatch: You have attempted to establish a
connection with localhost. However the security certificate presented belongs to
"smtp.mymailserver.com". It is possible that someone may be trying to intercept
your communication with this website...."

Fair enough, except that this is only occurring because I am using SSH port
forwarding via an untrusted WIFI network - thus I have told mozilla to talk to
localhost, and my SSH tunnel is connecting to the mailserver. (And so Mozilla
sees localhost with my mailserver's certificate - and complains).

Unfortunately, there's no way to work around it, and I get this message every
time I send mail, or when Moz checks for mail. And if it happens in a background
window, Moz just freezes until I find and dismiss it.





Reproducible: Always

Steps to Reproduce:
Set Mozilla up to send mail to: localhost:8025

Then, set up an ssh tunnel:

ssh -L8025:smtp.mymailserver.com:25 me@mytrustedgateway.com

Can send mail, but Moz *always* complains.



Expected Results:  
I'd like an option to ignore security errors that result from localhost. Or
alternatively, a "don't ask me again" option for certain server/certificate
mis-matches.

Comment 1

[Matthias Versen [:Matti]]

An ignore function is wontfix according to bug 205677 but Mozilla should only 
complain once per session.
Do you get this every time or once per session ?

Comment 2

[Richard Neill]

Unfortunately, I get this every time - every time I send messages, and worse,
every time (ever 5 mins) when moz checks for mail, which causes the web-browser
to inexplicably hang until I find - and dismiss - the warning in a different window.

I can see the point about wontfixing the ignore, but presumably localhost could
be an exception? There is no way that anyone could create a man-in-the-middle
attack via localhost unless the localhost machine itself is compromised (in
which case you have bigger problems). Furthermore, anyone who is checking mail
on localhost probably knows what they are doing...

Comment 3

[Daniel Veditz [:dveditz]]

If we gave a free pass to localhost then you'd be vulnerable to someone
redirecting smtp.mailserver.com traffic to fakemail.com.

A workaround on your end would be to put smtp.mailserver.com in your hosts file
as an alias for localhost and then leave your mail settings pointed at
smtp.mailserver.com.

If your mailserver already uses SSL (otherwise you wouldn't get the cert
mismatch warning) then why do you need to tunnel over ssh?

Comment 4

[Richard Neill]

Thank you for your reply. (#3). Your workaround (editing /etc/hosts) is a good
suggestion. 

As for why I need to tunnel the connections:
a)Not all mailservers (I have several accounts) are using SSL
[b)From a privacy perspective, it's desirable not to leak any information,
including the address of the mailserver itself. This way, I only need to
identify a single machine.]

> If we gave a free pass to localhost then you'd be vulnerable to someone
> redirecting smtp.mailserver.com traffic to fakemail.com.

I'm not sure I understand this. Surely, in order to be vulnerable to this, I'd
already have to have a compromised localhost? And at that point, anything could
happen (eg keystroke logging, TCP/IP redirection,copying etc) 

Comment 5

[Kai Engert [:KaiE:]]

IMHO we should not treat localhost different than other mismatches.

However, you might be interested in the discussion in bug 228684 which asks for a mechanism to permanently remember allowed mismatches.