Closed Bug 579927 Opened 14 years ago Closed 13 years ago

www.mozilla.org/mozilla.org SSL renewal (12/02/2011)

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
Windows Vista
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alex_mayorga, Assigned: fox2mike)

References

(
URL
)

Details

(Whiteboard: Geotrust OrderID: 8097943) 

User-Agent:       Mozilla/5.0 (Windows; Windows NT 6.0; en-US; rv:2.0b2pre) Gecko/20100719 Minefield/4.0b2pre
Build Identifier: Mozilla/5.0 (Windows; Windows NT 6.0; en-US; rv:2.0b2pre) Gecko/20100719 Minefield/4.0b2pre ID:20100719040913

This might be user error, but I believe https://mozilla.org should redirect to https://www.mozilla.org
As example see the behavior of https://paypal.com

Reproducible: Always

Steps to Reproduce:
1. Type "https://mozilla.org" in the address bar.
2. Press <enter>
Actual Results:  
There's no redirection and user sees the message below

mozilla.org uses an invalid security certificate.
The certificate is only valid for *.mozilla.org
(Error code: ssl_error_bad_cert_domain)

Expected Results:  
Users that browse to https://mozilla.org are redirect to https://www.mozilla.org and don't see an invalid security certificate message.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Moving to Server Ops for comments and any changes that are needed.
Assignee: nobody → server-ops
Component: www.mozilla.org → Server Operations
Product: Websites → mozilla.org
QA Contact: www-mozilla-org → mrz
Version: unspecified → other
Assignee: server-ops → nmaul
It does redirect, but due to the nature of SSL connections, the handshake happens *before* the redirect does, so you get the error.

The way to solve this is to get a separate cert for mozilla.org, so that it can have a proper cert presented before that redirect happens.

Here is a suitable CSR for this (we don't seem to have a cert for just "mozilla.org" yet):

-----BEGIN CERTIFICATE REQUEST-----
MIIC8zCCAdsCAQAwga0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv
cmF0aW9uMRYwFAYDVQQLEw1JVCBPcGVyYXRpb25zMRQwEgYDVQQDEwttb3ppbGxh
Lm9yZzElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxhLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANuEfKTF3zASikFs+SEEr43q0rIj
HbuET4BKU3D+uSW000h05N55k/rm6nSA4r6ZHSIpH4vra+3KoEZTBWy8l3305/eO
MwAOy+Sf8np9Bn2JpeUX1luKQxoitkycxTWvZLBUtczYoJY9RlowKLpF1vP98CRl
ypu7Ua7ewPcTKrL5hYyl/L7VxRo/mkqJ1r4BmGY154ggxL234hYfOfa+IZi7XFVs
50Mr16LnqkmbhKVxE0googKg1z8Z/pq3d/SqlX+8YPMkzMdbBwO6Bv1KcrBCINKm
XI20EPjgUsq4cr1Rr6m45YoJeAvE5rOrOfWl0ysgzFT1P4tzNaJZAO3XOIMCAwEA
AaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAaP4H+oMDkSvhxM1pn2Sk1htnFcbQpjF5Q
9RYlWyVLhHzXk0BbjUF58NhNo6TOMGa6ZhurF+bWcRmUt81Xn38JaYd6Moe4E+Ll
4kFZJABUqnFvqziU21frZtpL5j2pGdySSC7ZB6FmhRbekTHiqVGbf92PweM6EaeQ
h4SJbwkFa27sGhk1UE7ZCYJB6PkOT9pC8pv3s4mQ+vQrefOkX8ofI1JydlxziB4b
DQlMO9RLho1am9+P+efYXqE/3nnQRCKqJ5Tug8v5mBCpTHkpT8LzyFSc0AOLtVVa
aT5Efj2S5nPOvK3FE3wRtPgFKDmxwBoO6ecExJcYoVMDnPCmmomh
-----END CERTIFICATE REQUEST-----


Assigning to mrz for a decision on whether we want to spend the $$ to fix this, and get a cert if we do...
Assignee: nmaul → mrz
The trouble is that "*.mozilla.org" doesn't include "mozilla.org".

Maybe you can complain to the CA that sold you your wildcard cert.
Maybe you can get them to issue a replacement cert that includes "mozilla.org" in the Subject-Alt-Name-Extension.
Summary: https://mozilla.org doesn't redirect to https://www.mozilla.org and shows invalid security certificate → https://mozilla.org shows invalid security certificate (and therefore cannot automatically redirect to https://www.mozilla.org )
The current 2-year wildcard cert will expire anyway in 4.5 months, so maybe it's time to start the replacement-cert process, and get this problem fixed, too.
Is this a dup of bug 553749?
Really a dupe of bug 398923...
*.mozilla.org is going expire 12/02/2011.  Changing summary to reflect course of action.

Should get a certificate valid for www.mozilla.org & mozilla.org.
Assignee: mrz → server-ops
Summary: https://mozilla.org shows invalid security certificate (and therefore cannot automatically redirect to https://www.mozilla.org ) → www.mozilla.org/mozilla.org SSL renewal (12/02/2011)
Standard Enterprise SSL? Don't think we need EV here...
Assignee: server-ops → shyam
I agree.  An EV cert, right now, would come out as Mozilla Corporation because that's the entity who has the business account.  I don't know if there's much to be gained outside of a green bar for the EV cert on this site.
The Firefox download and the rest of *.mozilla.org is the most important use case for EV that I know of. We should either use an EV cert for our website or we should remove the special handling of EV certs from Firefox.

I do not think the "Mozilla Corporation" branding issue should get in the way. Also, don't we have time to go through the EV validation process for a different name ("Mozilla Foundation"?) before the certs expire?
Since mozilla.org hosts the main download page for Firefox, it's probably more important for it to have an EV cert than most of our domains... AMO being the only other one that comes to mind as EV-worthy.


Note: do not use the csr in comment 2... that is for mozilla.org only, and does not include www.mozilla.org.

Here's a better one that will work for mozilla.org and www.mozilla.org.

-----BEGIN CERTIFICATE REQUEST-----
MIIDQTCCAikCAQAwga0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv
cmF0aW9uMRYwFAYDVQQLEw1JVCBPcGVyYXRpb25zMRQwEgYDVQQDEwttb3ppbGxh
Lm9yZzElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxhLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALfFA242rpOuQx6+/q5i/pNTOkiQ
2fEf8ZM5ktLXby0r38Jkdqa83TafBnlRBHbivXFb93wK+27bRffI7JpH9W8T+6Yf
IdGvkyNe1IoGiimR/q45o0w4RBqwdjgUL8vj+bVr84+F3bfvMaCDUzIt9iI6jq91
SSk71v7DxQk8s2hyiq8GW1xDtGN0lnTw56taCruwiDF9/imKlYFR44/QMbQLOzst
32Pmr/cWby0tndxkzDHdL+Y2ipAdPJkGUCs3Z81SLKWlwP+Z5bRV+sQJkndiUMDj
VNbMSnPp96brVwdDheKKZoA0h+nQkOKlsVwTRHiY2slB9heGIQJ55nSaPncCAwEA
AaBOMEwGCSqGSIb3DQEJDjE/MD0wEQYJYIZIAYb4QgEBBAQDAgZAMAwGA1UdEwEB
/wQCMAAwGgYDVR0RBBMwEYIPd3d3Lm1vemlsbGEub3JnMA0GCSqGSIb3DQEBBQUA
A4IBAQAYKXDMuOWVfztvfl9KUN0rrIU8zUDaswJUQf5Sw+h1fSynPbYayoOH3iw7
uyfFPLwJGRA3ANWymagReeBgtdQbvOq440QiZhXbsdZp8yPXH9kd4JmU8ThldezE
phctux8CFMCKmVztOuQoKX4VXbsrlJr/AVSzCw/wSn0YheM54rTfabBkJadVzDcf
wA5lC2RWp2flzcljdqWWCnBZXU/UsSdOrOVBP+HdylWAFJG1WWZFlJzTjVpTw9ua
JaozQOdze3thcfo6MpkzhcCJ7HxYiiULrmFsUfq2D5TpCJNrVPkkD+TNZU5mCl15
5J+xIqvEPLZqh+XESSi0F37Cbftp
-----END CERTIFICATE REQUEST-----
Jake,

Need the reverse. Get a CSR for www.mozilla.org with a SAN for mozilla.org. That way, the cert is cheaper for us to procure and will work with both mozilla.org and www.mozilla.org :)
(In reply to Brian Smith (:bsmith) from comment #10)
> The Firefox download and the rest of *.mozilla.org is the most important use

I'd agree but downloads are over non-SSL.  

Tell me what added security EV gets us for downloads here?

> Also, don't we have time to go through the EV validation process for a
> different name ("Mozilla Foundation"?) before the certs expire?

I can't speak for the Foundation, someone representing the other business entity would have to do that paperwork.

The administrative overhead for an EV is time consuming.  Happy to do it if the consensus is that it provides substantial end user benefit.
(In reply to Shyam Mani [:fox2mike] from comment #12)
> Jake,
> 
> Need the reverse. Get a CSR for www.mozilla.org with a SAN for mozilla.org.
> That way, the cert is cheaper for us to procure and will work with both
> mozilla.org and www.mozilla.org :)

Here you go:

-----BEGIN CERTIFICATE REQUEST-----
MIIDQTCCAikCAQAwgbExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv
cmF0aW9uMRYwFAYDVQQLEw1JVCBPcGVyYXRpb25zMRgwFgYDVQQDEw93d3cubW96
aWxsYS5vcmcxJTAjBgkqhkiG9w0BCQEWFmhvc3RtYXN0ZXJAbW96aWxsYS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeOh6yffa6EUJiq7B3gmqM
opyskeIquGSmuz5lpS3ajoUezV24W/xnKHSgn87C0KBzUSjRY46Ix9lHdgfDlptN
v1Zt+BoRwVHuZt0IZnGYZeStg05qGY5fsznpDIfyJAWXtOaWmju72a1Mpvultu4A
koxD1etPZZgY/FaUSftmpYvpCaHFjL+mLdF88NvUG6OpX4/L/uTv05OOPcjbLHvL
3tw1CerOzqF6BDbB8qOh0DXAN/CF4/OS8LdLWXW2VPDXv+fMq4aweCV+nDVn6V4s
ZH5rplztPXMQdZZoxSMESctd1lpFarXpd7uJ8kzrmMz9D3dIzkhL/lA9B6Dng/8B
AgMBAAGgSjBIBgkqhkiG9w0BCQ4xOzA5MBEGCWCGSAGG+EIBAQQEAwIGQDAMBgNV
HRMBAf8EAjAAMBYGA1UdEQQPMA2CC21vemlsbGEub3JnMA0GCSqGSIb3DQEBBQUA
A4IBAQBg+jW2qk9y60Pu1ixJrarRmAGryNYu8xHbfIBSzMHkObROP7XhPyCruTo1
KAPyDhsNpxumb2SU5sMKnQl3XtUU84hz3XYSFB1k6T4CcpzSXyD5EDQG6i7hTo8W
GNokLqAWl876MehW+AoWS1yIRXWjUOVqwe/AaBBU+t4v57/fVsNI1UZurEdWQVdV
2eWcyxalX6x5oDisadoEoPgl8y0+OZzb9ksteB59zEAXlTJwCdZafVV7wz73lIrd
ruVQ1K4L/9dtjMPQIJggpjvJc02qJ35hQxuCxfTKxTeDD3eSYghR3qfad9taHGB3
DUnxDpYfrOOJTFd8VZhXgptZCv4j
-----END CERTIFICATE REQUEST-----
Whiteboard: [allhands]
(In reply to Jake Maul [:jakem] from comment #11)
> Since mozilla.org hosts the main download page for Firefox, it's probably
> more important for it to have an EV cert than most of our domains... AMO
> being the only other one that comes to mind as EV-worthy.

I think all of our security infrastructure--which includes but isn't limited to the Firefox download page, mail.mozilla.com, bugzilla.bugzilla.org, securitywiki.mozilla.org, ldap.mozilla.org, and any Mozilla property into which we enter our LDAP credentials, at least--should have EV certificate, because we've already determined that EV offers a significant security benefit regarding phishing and mis-issuance. Maybe we were wrong when we made that decision; if you think so, then let's file a file to correct the way Firefox UI's (mis)represents EV certificates. We were co-creators of the EV mechanism; it doesn't make sense to say that the EV rules make getting the certificates too hard, when we were directly involved in creating those rules.
I think our role in helping create the spec neither helps nor hinders the argument that they aren't worth the cost in a particular context. They are harder certs to get, and I don't think we need one for, for instance, people.mozilla.org - precisely because they are more onerous. That difficulty isn't about security either, it's about identity - and I think the real test ought to be "How important is it to provide additional assurances of identity to the users of this site?"

To that end, I think AMO (user facing, carries our stamp of approval, deliberately created as a place to obtain software) clearly passes the test. I actually feel like mozilla.org, from whence our downloads originate, does as well.

I disagree, though, at least prima facie, with the assertion that our project-internal infrastructure needs that level of identity attestation. Does hg.mo or bugzilla need an EV cert? What is the cost of less prominent identity information there? Bugzilla is a bit of a funny case since the general public interacts with it, and since our own developers sometimes supply very sensitive credentials to it, but relying on those developers noticing the absence of a green identity block is not much security. EV is an affirmative identity signal to tie domain names to real entities, but I don't think people particularly benefit from that signal with securitywiki.mozilla.org; its users already know who runs it.

ASIDE: I think the reality is that EV *does* provide some de facto MitM-detection capability even though it's not a design feature. I think that people in our community *would* notice if bugzilla was EV and then lost it, even though we can't rely on humans noticing that change in the general case. If EV certs were free, I'd support deploying them everywhere. I'm only pushing on the criteria for making the investment because of the concern that they are costly in money and, more importantly, time.

ASIDE 2: Are EV certs really that much more costly after the first one? Getting AMO was pain, articles of incorporation, signed letters from general counsel, &c. But we have that one now. Our CA has that information. Oughtn't that make the cost of the second, third and fourth EV certs much lower? Are we wringing our hands over an imagined pain greater than the actual pain?
> ASIDE 2: Are EV certs really that much more costly after the first one?
> Getting AMO was pain, articles of incorporation, signed letters from general
> counsel, &c. But we have that one now. Our CA has that information. Oughtn't
> that make the cost of the second, third and fourth EV certs much lower? Are
> we wringing our hands over an imagined pain greater than the actual pain?

Time-wise, probably not.  Dollar wise, probably yes.

As the implementer I don't have a particular opinion either way.

My only concern, because I'm sure someone will point it out, is that the current business entity buying these certificates is Mozilla Corporation and the resulting EV certificate will say that too.  

Is that an issue for a site that ends in a .org?  Or in a One Mozilla world?
So what's the final call? EV? No EV?
We've got a clock on the renewal, and it needn't block on the EV/no-EV decision. I'd get a replacement cert in the meantime. If we make the decision to switch to an EV cert - so be it. At the end of the day, I think IT owns the decision, though they might want to consult with engagement about whether this is a worthwhile investment for the site's brand, and with security to decide whether we think it's an important investment for the site that people use to find Firefox downloads. I'd also get engagement to comment on the question of a mozilla.org site presenting a "Mozilla Corporation" EV cert.

Incidentally, I'm personally of the opinion that it is worth doing.
Whiteboard: [allhands]
No rush, since the cert only expires in December. 

John, comments?
Weighing in from the Engagement team...

I probably need a bit more of a walk-through of the technical implications, but without really understanding much of that I'd like to strongly advocate against us saying Mozilla Corporation in any public-facing way. That's really off brand, and I'd very much like to avoid end-users ever seeing the word 'corporation' associated with us...it's part of our legal structure, but that's it.

Is that doable? What would it require? (Thanks for looping me in, btw.)
 
> Is that doable? What would it require? (Thanks for looping me in, btw.)

I think the complication is that that name reflects the business entity.  So it's probably either Mozilla Corporation or Mozilla Foundation, neither of which is the desirable "Mozilla".
From Verisign:

Trung :  For the Extended Validation certificate, the organization name referenced in the SSL certificate must exactly match the business registration.
Trung :  The word corporation cannot be removed, but it can be abbreviated.

matthew zeier:  Would that change if I had a "dba" ?
matthew zeier:  Mozilla Corp, dba Mozilla and then just include Mozilla?

Trung :  For the extended validation certificate, that would not be possible. If you had a dba, the organization name would have to be as follows
Trung :  Mozilla (Mozilla Corp.)
Trung :  Or
Trung :  Mozilla (Mozilla Corporation)


So if there's a decision to just have the EV cert should the Org Name of "Mozilla" there's a related business process to register Mozilla as a registered business.  That process is out of my expertise but I will investigate.
If using just Mozilla isn't an option, I'd prioritize using Mozilla Foundation over Mozilla Corporation or Mozilla Corp.
From those who do these sorts of things,

"I just put in the request to D&B to update/change from Mozilla Corp to Mozilla."
The business guys say it'll take a couple weeks to get the name registered as a business entity.  Will update when it's done.
mrz, poke. We're hitting the pink danger area for this bug, cert expires on Dec 2. Soon pink will turn red ;)
Have this on order with Geotrust, we're getting an EV cert which should say "Mozilla"
Whiteboard: Geotrust OrderID: 8064806
or Mozilla Corporation. Either way, it's an EV cert.
Blocks: 704681
Slater,

So we have a cert, but it says Corporation. What would you like me to do at this point? Geotrust doesn't see the business registered as "Mozilla" and so will not issue anything that just says Mozilla on it.

It's installed for now, but if you don't want it, I'd have to get another normal cert and close this out, and you can file a new bug for an EV cert from the foundation, which can be processed later.

Hit up https://www.mozilla.org/ let me know. 

Thanks!
Also, I think Geotrust made an error here, so I'll work with them on fixing this too.
I had a call with Geotrust this morning. Our options are:

1) Get the Certificate re-issued. This will be an EV cert but the bar is going to say Mozilla (Mozilla Corporation) vs the Mozilla Corporation we have now since Mozilla exists in a Fictitious Name Statement document only. This is how Geotrust issues certs for Fictitious Name Statement entities.

2) Get the True Business ID Cert. This will NOT be an EV cert, but will have the name Mozilla on the cert. No green bar, so I'm not sure this is something we want to look at.

3) Drop both of the above for now, cancel the EV cert, get a normal SSL cert and re-visit when we have Mozilla as a non Fictitious Name Statement thingy OR get the ball rolling to get an EV from the Mozilla Foundation. Then an EV on the site will have the bar saying Mozilla Foundation.

Do let me know how we'd like to proceed at this point.
Shyam, thanks for laying out the options so clearly. Having the site display Mozilla Corporation so prominently really contradicts a lot of the messaging we're laying out, so I'd like to pursue an option that doesn't include that.

I'm not sure of the technical implications between the True Business ID cert from option 2 and the normal SSL cert from option 3, so please tell me if there's anything I'm missing there but it seems like option 3 is best.

Looking ahead:
- how do we get the ball rolling to get an EV from the Foundation? How can I help?
- people see the green bar when they hit the https version of the page, right? When does that happen? If I google my way to that page I don't get that version.

Bottom line though, as a marketing call getting rid of Corporation outweighs the green bar. Thanks for pushing on this, and let me know how I can help.
(In reply to John Slater from comment #33)

> I'm not sure of the technical implications between the True Business ID cert
> from option 2 and the normal SSL cert from option 3, so please tell me if
> there's anything I'm missing there but it seems like option 3 is best.

I think option 3 is best, we don't have the extra spend and I don't think there's any big advantage between 2 and 3. There is one between 1 and 3 though.

> Looking ahead:
> - how do we get the ball rolling to get an EV from the Foundation? How can I
> help?

I'm going to defer to mrz here, I'm not entirely sure. From where I stand, we need one of these that says Mozilla Foundation :

Acceptable documents:

-	Articles of Incorporation 
-	Business License 
-	Certificate of Formation 
-	Doing Business As Statement
-	Registration of Trade Name or Assumed Name
-	Fictitious Name Statement 
-	Charter Documents 
-	Partnership Papers 
-	Vendor/Reseller/Merchant License 
-	Merchant Certificate


> - people see the green bar when they hit the https version of the page,
> right? When does that happen? If I google my way to that page I don't get
> that version.

https://www.mozilla.org/

The Green Bar happens only if you have an EV cert.
 
> Bottom line though, as a marketing call getting rid of Corporation outweighs
> the green bar. Thanks for pushing on this, and let me know how I can help.

Then I'm going with option 3 for now and will open a new bug for an EV cert and we'll consider our options there.

Does that sound fine?
(In reply to Shyam Mani [:fox2mike] from comment #34)

> The Green Bar happens only if you have an EV cert.
>  
> > Bottom line though, as a marketing call getting rid of Corporation outweighs
> > the green bar. Thanks for pushing on this, and let me know how I can help.
> 
> Then I'm going with option 3 for now and will open a new bug for an EV cert
> and we'll consider our options there.
> 
> Does that sound fine?

We should not downgrade from the EV cert to a regular cert. We currently use an EV cert and users are used to seeing this. In addition, an EV cert requires additional security guarantees in the verification process to issue the certificate.  Stepping down to a less rigorously verified certificate (e.g. a non-EV) will send the wrong message to our users and will cause concern to those that are used to seeing the green EV-cert.

If we need to change out the name then I'd like us to address that issue so we can get the correct EV cert.
I chatted with Shyam and found out more.  The EV cert was only available for a small period of time and is not the norm. So, there is no "downgrade" really.  Since the norm for this site is SSL optional, not EV, I'm ok with us staying in a non-EV situation to get the correct SSL cert.

In other words, carry on.
A standard SSL cert has been installed at https://www.mozilla.org/

Discussion on the EV cert has been moved to Bug 706745 for those interested.

To the OP of the bug, sorry it took us a year to fix this :) https://mozilla.org/ now works (the entire site works under that) as does https://www.mozilla.org/ 

Marking this FIXED.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: Geotrust OrderID: 8064806 → Geotrust OrderID: 8097943
Group: core-security
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.