Closed Bug 481571 Opened 15 years ago Closed 4 years ago

location bar displays site identity as tld, even though cert is only valid for subdomain

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: sayrer, Assigned: johnath)

References

Details

(Keywords: sec-want, Whiteboard: [sg:want])

bugzilla.mozilla.org's cert is valid for *.mozilla.org

mail.google.com's cert is valid for mail.google.com

The location bar display for mail.google.com is wrong.
Blocks: 480357
Component: Location Bar and Autocomplete → Security
OS: Mac OS X → All
QA Contact: location.bar → firefox
Hardware: x86 → All
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
This isn't quite the same as bug 471802.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
This isn't quite the same as bug 471802.
Oh, you want browser.identity.ssl_domain_display set to 2 (host) instead of 1 (domain) by default, at least for the non-wildcard case?
That would be wrong perhaps. First of all google uses a really backward certificate with no SAN entries. Settings the pref to 2 would be wrong too for site which has entries like

domain.com
sub.domain.com
more.domain.com

in the certificate's SAN DNS extension.
I don't think it's a problem for the location bar to show only the base domain, it's a space-saving compromise that positively indicates the SSL state (a few blue pixels was insufficient) while secondarily helping users parse the most significant parts of the domain (as "Locationbar2" was supposed to do). Showing the full host can take up too much space as well as help phishers by pushing incriminating clues out of view.

Larry, however, shouldn't compromise. If users click Larry open to get detailed information then Larry should give them that detail and tell the user exactly what we have validated. That is the bug, IMHO.
(In reply to comment #6)
> while secondarily helping users parse the most
> significant parts of the domain (as "Locationbar2" was supposed to do).

bug 451833, btw.
Now that the almost (but not quite) redundant SSL hostname is being taken out of the status bar does that raise the importance of having Larry not lie when you open him? For this site he says "You are connected to mozilla.org". I am not, I am "connected" to bugzilla.mozilla.org.

It may be run by the same folks, but if that's what we mean we could change the wording to "You are connected to a host which may be run by mozilla.org. (Or maybe not, but mozilla.org could MITM it anyway)"
Assignee: nobody → johnath
Flags: blocking-firefox3.5?
Whiteboard: [sg:want]
Dan - so I think what you're asking for is different from the original request in this bug, isn't it?  I think the original request was that the location bar display reflect the degree-of-verification in the cert, whereas you seem to be proposing that the popup reflect the actual domain, regardless of the cert content.

It's a trivial change to have the popup include the full domain (without inspecting the cert, I mean), but I wonder if that is just going to be differently confusing, to have the two pieces of the same UI saying different things?
Not blocking, but we'd take a patch that does what comment 1 implies, which is:

In the identity button, always show the smaller piece (eTLD)

In Larry's drop down:
 - for wildcard certs, show the part after the wildcard
 - for non-wildcard certs, show the domain for which the cert applies
Flags: wanted-firefox3.5+
Flags: blocking-firefox3.5?
Flags: blocking-firefox3.5-

(Working my way through old security bugs) I think this is invalid now, do you agree?

Flags: needinfo?(jhofmann)

Yeah

Status: REOPENED → RESOLVED
Closed: 15 years ago4 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.