way to work around SSL domain mismatch should be provided




11 years ago
8 years ago


(Reporter: jan-bugreport, Unassigned)


Firefox Tracking Flags

(Not tracked)




11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: Gecko/20080404 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)Gecko/2008052906 Firefox/3.0

When visiting a misconfigured SSL site, often "domain mismatch" warnings appear. If visiting the domain (without a path), a good workaround (link in error message) is provided, which is great. However, if visiting single pages on a domain, the link does still point to the domain and not the url. Example:
I want to visit https://google.com/adsense, I get the domain missmatch error, but the link points to https://google.com/ instead of https://google.com/adsense.

Just fixing the link is not a good idea (imagine a user visiting https://example.com/stupidlogin.php?user=me&pass=supersecret, getting spoofed and clicking a link to https://evilspoofer.com/stupidlogin.php?user=me&pass=supersecret).

These warnings are most often caused by a missing or additional "www." in front of the domain. I suggest to add an "evaluation" message inside the missmatch error, that tells the user what the warning probably means. Examples:
- "[green icon] The certificate belongs to www.example.com, while you wanted to visit example.com. Probably everything is all right, as the only difference is the WWW. Click here to be redirected to www.example.com/the/path/the/user/wanted/, or click here to continue, ignoring this warning, or click here to abort" a checkbox to tell firefox to remember the decision should be provided.

- "[yellow icon] The certificate belongs to www.example.com, while you wanted to visit shop.example.com. In certain cases, this might indicate an attack, for example if you are visiting a web site that allows users to put up their own web sites." (regular exception handling applies)

- "[red icon] The certificate belongs to paypla.ru, while you wanted to visit paypal.com. In most cases, this indicates an attack. You should not continue unless you are an experienced user, know what caused this warning and that both domains belong to one organization"

Reproducible: Always

Steps to Reproduce:
Visit https://google.com

Comment 1

11 years ago
The link points to <https://www.google.com>, not google.com

See also bug 364667, but that was WONTFIX'ed

Comment 2

11 years ago
That bug suggested to completely ignore the mismatch, while I just suggest a distinct error message. Remember, if users get used to the error because it happens too often they will ignore it in all cases if they all look the same, and a user might miss the difference between www.paypal.com and www.paypla.com, while a computer does not.

This suggestion would 
 - make clear how severe the difference is
 - provide a clear warning on the most probable fraud cases
 - avoid users getting used to the error in the "green" cases and ignoring the "red" cases too by making them clearly distinct.

see also bug 402210
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.