Larry popup should show full hostname, not just the domain, as this heuristic can be misleading

NEW
Unassigned

Status

()

Firefox
Security
--
minor
10 years ago
3 years ago

People

(Reporter: Guenther Starnberger, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0

It seems that the small window that displays information to a SSL certificate (when you click at the left side of the address bar) uses a simple heuristic to determine the domain name to which the user is connected.

E.g. on https://gst.priv.at/ I have a certificate that was issued to "*.gst.priv.at", "gst.priv.at" and a few other domains. It was NOT issued to "priv.at". However, when opening the SSL information, Firefox writes: "Sie sind verbunden mit priv.at" (in the English version this sentence should be similiar to: "You are connected with priv.at").

Instead of trying to determine the main domainname of the site, Firefox should show the name to which the certificate was actually issued (or, if there are multiple matching names in a certificate, the "best" matching name).

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
I think there's a duplicate on this already, but confirming because this is true and should be fixed if the duplicate is buried in a messy UI bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

10 years ago
Showing the full hostname can be misleading too, as in the case of "secure-bankofamerica.com"...
Summary: Firefox should not use heuristic to determine SSL sitename → Larry popup should show full hostname, not just the domain, as this heuristic can be misleading

Updated

10 years ago
Duplicate of this bug: 444986

Comment 4

9 years ago
Since humans are better at verifying naked domains, and since certificate authorities really check for domain ownership anyway, I think we'd be doing a disservice to everyone if we showed the whole hostname (even though the CN is the hostname).

Sid argues that important sites that don't want to be phished should remove their www (e.g. redirect from https://www.paypal.com/ to https://paypal.com/).  It's an interesting argument; I'm curious why PayPal hasn't done this.
You need to log in before you can comment on or make changes to this bug.