A number of users are complaining they get an invalid SSL certificate when following the "why was this blocked"/details link in Firefox 3.0. We just pushed a .NET plugin blocklist that about half our users have, so there are quite a number of people now hitting this. The problem is that the old version of the blocklist pref had a locale subdomain, which no longer matches the *.mozilla.com cert on the machine. Example comment http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/#comment-108052 This is because the pref in Firefox 3.0 is "http://%LOCALE%.www.mozilla.com/%LOCALE%/blocklist/", whereas in later versions we dropped the initial locale-host redirect. Firefox 3.0: http://mxr.mozilla.org/mozilla/source/browser/app/profile/firefox.js#84 Firefox 3.5: http://mxr.mozilla.org/mozilla1.9.1/source/browser/app/profile/firefox.js#87 We need to get a *.www.mozilla.com cert up there ASAP
Is bug 522876 a dupe?
Wait, I'm confused... the pref in 3.0 is _not_ SSL, and it correctly redirects to a non-SSL version of the blocklist page. Where are people getting an HTTPS pref with a %LOCALE% sub-domain?
The change from http: to https: happened at exactly the same time we dropped the %LOCALE% subdomain. How are some people having broken links? Is the details link specified in the blocklist itself?
Note that the duped bug was explicitly a 3.5.3 user. The two commenters in the security blog didn't say what version and I just assumed 3.0.x from misreading the source code.
> happened at exactly the same time... Bug 468526 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/273b9ecef4b7