location bar displays site identity as tld, even though cert is only valid for subdomain

REOPENED
Assigned to

Status

()

Firefox
Security
REOPENED
9 years ago
6 years ago

People

(Reporter: Robert Sayre, Assigned: johnath)

Tracking

({sec-want})

unspecified
sec-want
Points:
---
Bug Flags:
blocking-firefox3.5 -
wanted-firefox3.5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want])

(Reporter)

Description

9 years ago
bugzilla.mozilla.org's cert is valid for *.mozilla.org

mail.google.com's cert is valid for mail.google.com

The location bar display for mail.google.com is wrong.
(Reporter)

Updated

9 years ago
Blocks: 480357

Updated

9 years ago
Component: Location Bar and Autocomplete → Security
OS: Mac OS X → All
QA Contact: location.bar → firefox
Hardware: x86 → All

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 471802
(Reporter)

Comment 2

9 years ago
This isn't quite the same as bug 471802.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Reporter)

Comment 3

9 years ago
This isn't quite the same as bug 471802.

Comment 4

9 years ago
Oh, you want browser.identity.ssl_domain_display set to 2 (host) instead of 1 (domain) by default, at least for the non-wildcard case?

Comment 5

9 years ago
That would be wrong perhaps. First of all google uses a really backward certificate with no SAN entries. Settings the pref to 2 would be wrong too for site which has entries like

domain.com
sub.domain.com
more.domain.com

in the certificate's SAN DNS extension.
I don't think it's a problem for the location bar to show only the base domain, it's a space-saving compromise that positively indicates the SSL state (a few blue pixels was insufficient) while secondarily helping users parse the most significant parts of the domain (as "Locationbar2" was supposed to do). Showing the full host can take up too much space as well as help phishers by pushing incriminating clues out of view.

Larry, however, shouldn't compromise. If users click Larry open to get detailed information then Larry should give them that detail and tell the user exactly what we have validated. That is the bug, IMHO.
(In reply to comment #6)
> while secondarily helping users parse the most
> significant parts of the domain (as "Locationbar2" was supposed to do).

bug 451833, btw.

Updated

9 years ago
Duplicate of this bug: 483178
Now that the almost (but not quite) redundant SSL hostname is being taken out of the status bar does that raise the importance of having Larry not lie when you open him? For this site he says "You are connected to mozilla.org". I am not, I am "connected" to bugzilla.mozilla.org.

It may be run by the same folks, but if that's what we mean we could change the wording to "You are connected to a host which may be run by mozilla.org. (Or maybe not, but mozilla.org could MITM it anyway)"
Assignee: nobody → johnath
Flags: blocking-firefox3.5?
Whiteboard: [sg:want]
(Assignee)

Comment 10

9 years ago
Dan - so I think what you're asking for is different from the original request in this bug, isn't it?  I think the original request was that the location bar display reflect the degree-of-verification in the cert, whereas you seem to be proposing that the popup reflect the actual domain, regardless of the cert content.

It's a trivial change to have the popup include the full domain (without inspecting the cert, I mean), but I wonder if that is just going to be differently confusing, to have the two pieces of the same UI saying different things?
Not blocking, but we'd take a patch that does what comment 1 implies, which is:

In the identity button, always show the smaller piece (eTLD)

In Larry's drop down:
 - for wildcard certs, show the part after the wildcard
 - for non-wildcard certs, show the domain for which the cert applies
Flags: wanted-firefox3.5+
Flags: blocking-firefox3.5?
Flags: blocking-firefox3.5-
You need to log in before you can comment on or make changes to this bug.