Closed Bug 514882 Opened 16 years ago Closed 7 years ago

Thunderbird 2 contacts https://en-us.www.mozilla.com which has an invalid wildcard cert

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mf5252, Unassigned)

Details

(Whiteboard: [support])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Build Identifier: 2.0.0.23 (20090812) Upon prompting Thunderbird to retrive emails, a warning notice/box pops up that displays the following message: Security Error: Domain Name Mismatch You have attempted to establish a connection with “en-us.www.mozilla.com” However, the security certificate presented belongs to “*.mozilla.com”. It is possible, though unlikely, that someone may be trying to intercept your communication with this website. If you suspect the certificate shown does not belong to “en-us.www.mozilla.com”, please cancel the connection and notify the site administrator. Viewing the certificate tells me very little and I have no way to ascertain if this is indeed a security breach. This is a fairly recent occurrence (about two weeks since it first started) and the Thunderbird build hasn't changed since it started happening. (I've looked through all other bug reports and this bug does not seem to have been reported before.) Reproducible: Always Steps to Reproduce: 1. Prompt Thunderbird to retrieve email 2. 3. Actual Results: Closing out program (then running Ccleaner) and reopening Thunderbird will reproduce the same message every time. Expected Results: N/A I should not be getting a security notice of this kind that my emails or connections might be intercepted. If emails are intercepted, then this may be a major security breach but I am not qualified to determine if this is the case.
see http://kb.mozillazine.org/Security_Error:_Domain_Name_Mismatch_or_Server_Certificate_Expired This sounds like a support request. Support is handled at http://www.getsatisfaction.com/mozilla_messaging , please go there and ask your question there.
Whiteboard: [support]
I'm sorry I missed this bug when it was filed. Thunderbird 2.0.0.23 -- which was released around the time you said the problem started -- contains a change to the way it handles SSL "wildcard" certificates to bring it in line with the SSL specification, the behavior of other internet-connected programs, and most importantly in line with what the certificate issuers think they are asserting when they validate certificates. In Thunderbird 2.0.0.22 the site https://en-us.www.mozilla.com could use a certificate that said "*.mozilla.com", but in 2.0.0.23 it would have to be a certificate that said "*.www.mozilla.com" (or the exact full name, of course). So the dialog makes some sense, but I don't understand why your copy of Thunderbird is trying to contact that site using SSL. There are some pages at that site Thunderbird loads (like the start page) but by default those should be non-SSL connections. There's no security problem here for you to worry about -- just go ahead and cancel the connection and it shouldn't interfere with downloading your mail (which is not stored at a Mozilla site). But it's annoying so I'll second Aurellano's suggestion of going to a support site to help figure out how your settings got tweaked
Summary: Possible security issue → Thunderbird 2 contacts https://en-us.www.mozilla.com which has an invalid wildcard cert
From private email by Mitch <mfeingersch@> >Took your advice and attempted to send this over to support. Completion of >support form and the hitting of submit at the end does....... Nothing....... It >just sits there.
(In reply to comment #3) > From private email by Mitch <mfeingersch@> > >Took your advice and attempted to send this over to support. Completion of >support form and the hitting of submit at the end does....... Nothing....... It >just sits there. I'm sorry, wrong cut and past
So that's it. You don't feel this new version has a bug (even of the old version did not exhibit this behavior)? Support link does not appear to want to allow a submit (even with no script on full allow). Would be nice to elevate this for me. If it's a setting I need, I think it should be made known to me.' thanks MF
Cut and past on this page same as cut and past or wrong page. I'm in the Alice loop. If you could get this passed on for me, I'd appreciate it.
could be related to bug #511921?
(In reply to comment #7) > could be related to bug #511921? It is. not realy a dup though.
This can't possibly be an issue in current versions.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.