443116 - Larry popup should show full hostname, not just the domain, as this heuristic can be misleading

Status: NEW

(Firefox :: Security, defect)

Description

[Guenther Starnberger]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0

It seems that the small window that displays information to a SSL certificate (when you click at the left side of the address bar) uses a simple heuristic to determine the domain name to which the user is connected.

E.g. on https://gst.priv.at/ I have a certificate that was issued to "*.gst.priv.at", "gst.priv.at" and a few other domains. It was NOT issued to "priv.at". However, when opening the SSL information, Firefox writes: "Sie sind verbunden mit priv.at" (in the English version this sentence should be similiar to: "You are connected with priv.at").

Instead of trying to determine the main domainname of the site, Firefox should show the name to which the certificate was actually issued (or, if there are multiple matching names in a certificate, the "best" matching name).

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Daniel Veditz [:dveditz]]

I think there's a duplicate on this already, but confirming because this is true and should be fixed if the duplicate is buried in a messy UI bug.

Comment 2

[Jesse Ruderman]

Showing the full hostname can be misleading too, as in the case of "secure-bankofamerica.com"...

Comment 4

[Jesse Ruderman]

Since humans are better at verifying naked domains, and since certificate authorities really check for domain ownership anyway, I think we'd be doing a disservice to everyone if we showed the whole hostname (even though the CN is the hostname).

Sid argues that important sites that don't want to be phished should remove their www (e.g. redirect from https://www.paypal.com/ to https://paypal.com/).  It's an interesting argument; I'm curious why PayPal hasn't done this.