*.wiki.sourceforge.net not valid site for *.sourceforge.net SSL certificate



8 years ago
8 years ago


(Reporter: Peter Ansell, Unassigned)


Firefox Tracking Flags

(Not tracked)





8 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4

*.wiki.sourceforge.net sites can't utilise the *.sourceforge.net issued SSL certificate according to the default SSL certificate checking mechanism

Reproducible: Always

Steps to Reproduce:
1. Go to https://bio2rdf.wiki.sourceforge.net/ or https://www.wiki.sourceforge.net/
Actual Results:  
See error saying that certificate issued for *.sourceforge.net is not valid for bio2rdf.wiki.sourceforge.net when it might be expected to be valid and trusted from a users point of view.

Expected Results:  
Allow access to secure site using the given certificate.
Component: Phishing Protection → Security
QA Contact: phishing.protection → firefox
I believe this behaviour is as-designed, since our interpretation of wildcards is specified to only go one level "deep." In any event though, moving this to NSS, where the decision is made.
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
Historically, Mozilla has been the only browser that allowed a wildcard 
character to match multiple levels of subdomain.  This behavior did not 
conform to the relevant RFC, and became viewed as a security risk, so 
Firefox 3.5 has changed to conform to RFC 2818.  See bug 159483.
Last Resolved: 8 years ago
Resolution: --- → WONTFIX

Comment 3

8 years ago
Insane that one needs to tell people to do the following:

You will need to click on the "Add Exception..." link, ignore the warning about "You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.". Click on "Get Certificate" and then click on "Confirm Security Exception".
Almost as insane as people putting certificates on their web servers that
do not match the DNS names used by those servers, and then expecting all
to work without any errors.
You need to log in before you can comment on or make changes to this bug.