Closed Bug 432491 Opened 12 years ago Closed 12 years ago

Hyperlinked ssl error page not useful for wildcards

Categories

(Core Graveyard :: Security: UI, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: johnath, Assigned: johnath)

References

()

Details

Attachments

(1 file, 1 obsolete file)

IF a site uses a wildcard cert ("*.example.com")...
AND the cert is not valid for the domain itself ("example.com")...
AND the user attempts to https://example.com/ directly...

we will show an ssl error for the domain name mismatch.  In some cases, bug 402210 will cause the error page to be hyperlinked, which means that we will try to hyperlink "*.example.com" which doesn't work very well, since "*.example.com" doesn't resolve to anything.

We should probably special case that, since it's a known pattern in certs, and either:

a) Not hyperlink at all in that case
b) Hyperlink to 'www' instead, since that's the most-likely-to-be-useful link.

An example of a site with this problem is (ahem): https://mozilla.com/
Of the two options, I'd rather we s/*/www/ in these cases, since then we're doing something useful for the user.
Duplicate of this bug: 432494
Attached patch replace /^\*/ with "www" (obsolete) — Splinter Review
(In reply to comment #1)
> Of the two options, I'd rather we s/*/www/ in these cases, since then we're
> doing something useful for the user.

I agree.  Attached one-liner to make the substitution.  Tagging gavin for review since he received biesi's punted review on the original in bug 402210,  but this isn't a blocker, so I fully expect it to be low on the priority list.
Attachment #319644 - Flags: review?(gavin.sharp)
I would vote for for (a).

Using "www" is a blind guess, which can result in an invalid link, too.
If the server uses a wildcard cert, it says the destination is operating many servers, and we don't know where the user intended to go.

Does it really help to enable a user to go "somewhere"?
Comment on attachment 319644 [details] [diff] [review]
replace /^\*/ with "www"

>Index: docshell/resources/content/netError.xhtml

>+        // If okHost is a wildcard domain ("*.example.com") let's
>+        // use "www" instead.  "*.example.com" isn't going to
>+        // get anyone anywhere useful. bug 432491
>+        okHost = okHost.replace(/^\*/, "www");

Use /^\*\./ to be safe?

nit: also don't add unneeded whitespace on that blank line.
Attachment #319644 - Flags: review?(gavin.sharp) → review+
Look at this page for example:
http://support.microsoft.com/kb/258858
search for "accepted wildcard examples"

Your patch will still generate a nonworking hyperlink for wildcards like w*.example.com

I propose: if * found in name, do not hyperlink
(In reply to comment #6)
> Your patch will still generate a nonworking hyperlink for wildcards like
> w*.example.com

I was told that w*.example.com is not a valid wildcard. Do CAs actually issue such certs?
Beware of the MS KB article cited in comment 6. 
Some of the "Accepted Wildcard examples" don't work in IE 
and don't follow the RFC.

I have a few questions about the new links that now sometimes appear in 
host name mismatch pages.  

Q1) If I follow a link to (say) 
  https://example.com/some_big_long_complicated_URI
and get a host name mismatch page with a hyperlink, will that hyperlink be to 
  https://www.example.com/
or will be it to 
  https://www.example.com/some_big_long_complicated_URI 
?

Q2) If I submit a form that POSTS to that same URL given above, 
will the link rePOST the data to that corresponding www. URL?  
(In reply to comment #8)
> Q1) If I follow a link to (say) 
>   https://example.com/some_big_long_complicated_URI
> and get a host name mismatch page with a hyperlink, will that hyperlink be to 
>   https://www.example.com/
> or will be it to 
>   https://www.example.com/some_big_long_complicated_URI 
> ?

The former.

> Q2) If I submit a form that POSTS to that same URL given above, 
> will the link rePOST the data to that corresponding www. URL?  

No.
In reply to comment 7,
Gavin, there is much discussion about acceptable wildcard forms in 
bug 159483.  See especially bug 159483 comment 3 and bug 159483 comment 9,
both of which quote brief passages from the relevant RFCs.  

w*.example.com fits the specification and examples in RFC 2818.
RFC gives f*.com as an example. (:-/)  

As to actual CA practice, I don't know of any CAs that offer wildcards
in any form other than *.domain
Just to be clear, the current patch only affects wildcards with a leading "*", so "w*.example.com" will not be affected. "*foo.example.com" is currently affected by the patch (hyperlink becomes "wwwfoo.example.com"), but will not be affected if Johnathan makes the change I suggested.
Can someone explain why a certificate that is valid for *.foo.tld should not be accepted for foo.tld? It seems to be a really common mistake.
(In reply to comment #5)
> (From update of attachment 319644 [details] [diff] [review])
> >Index: docshell/resources/content/netError.xhtml
> 
> >+        // If okHost is a wildcard domain ("*.example.com") let's
> >+        // use "www" instead.  "*.example.com" isn't going to
> >+        // get anyone anywhere useful. bug 432491
> >+        okHost = okHost.replace(/^\*/, "www");
> 
> Use /^\*\./ to be safe?

Done (with the obvious "www"->"www." change as well.

> nit: also don't add unneeded whitespace on that blank line.

Done.

(In reply to comment #11)
> Just to be clear, the current patch only affects wildcards with a leading "*",
> so "w*.example.com" will not be affected. "*foo.example.com" is currently
> affected by the patch (hyperlink becomes "wwwfoo.example.com"), but will not be
> affected if Johnathan makes the change I suggested.

Right, this will only "fix" leading wildcards.  Sites using foo*bar.*.baz certificates can wallow in their edge-case-itude.

(In reply to comment #6)
> I propose: if * found in name, do not hyperlink

I hear what you're saying, Kai, that hyperlinking here may still lead them nowhere, but "www" does enjoy sort of special status on the web as a "substantially more likely than most" target for a given domain.  I feel like the assistance we offer much of the time by hyperlinking outweighs the concern that, in the other cases, we will continue to be unhelpful.

(In reply to comment #12)
> Can someone explain why a certificate that is valid for *.foo.tld should not be
> accepted for foo.tld? It seems to be a really common mistake.

Because the CA didn't issue that certificate.  We have to trust what the CAs say and this cert is not listing, e.g., "mozilla.com" as one of the things that is verified.  Stupid, I agree, but certificate holders should take it up with their CA if they think that they aren't getting the product they bought.  We don't want to be in the business of second-guessing the CN/subjectAltName fields, imo.
Attachment #319644 - Attachment is obsolete: true
Attachment #319779 - Flags: review+
Comment on attachment 319779 [details] [diff] [review]
With review comments

a1.9=beltzner
Attachment #319779 - Flags: approval1.9+
Checking in docshell/resources/content/netError.xhtml;
/cvsroot/mozilla/docshell/resources/content/netError.xhtml,v  <--  netError.xhtml
new revision: 1.31; previous revision: 1.30
done
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.