Closed Bug 444986 Opened 16 years ago Closed 16 years ago

Blue security icon: invalid domain assertion "domain.com" instead of "www.domain.com"

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 443116

People

(Reporter: minfrin, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0

When an attempt is made to connect to a website called www.domain.com, which is secured by a certificate signed by a CA trusted for this purpose, and you click on the blue security icon to get details of the website, you get the following:

"You are connected to domain.com..."

The certificate in this case makes no assertion about "domain.com", instead the certificate belongs to "www.domain.com".

By being imprecise when reporting the name of the certificate, you send a clear signal to end users that the precise name of the site doesn't matter. Phishing is all about trying to create websites that are similar to but not the same as the actual site, and this bug plays directly into the hands of phishers.

The browser should assert what the certificate asserts, it should not make assertions of its own.


Reproducible: Always

Steps to Reproduce:
xxx
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.