Closed Bug 620834 Opened 15 years ago Closed 15 years ago

automatically add www to untrusted connections where www would make it trusted

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 364667

People

(Reporter: asa, Unassigned)

Details

(Whiteboard: [psm-cert-errors])

On several occasions I've run into https websites with Untrusted Connection warnings where the problem was that the cert was only good for www.foo.bar and not foo.bar. I just hit this again today at https://paybill.com/sccsuperiorcourt The warning page explains in the fine print that the cert is only good for www.paybill.com. Adding the www. to the address takes me to the trusted page I wanted. Seems like we could do this automatically, or somehow surface that bit of information much more prominently. I propose that for untrusted connections where the entered domain and the cert domain differ only in the presence of www. and where the cert tells us that it's only trusted for www. that we automatically redirect. Alternatively, if that seems prone to problems, we could at least alter our warning page to put a prominent "While foo.com isn't trusted, www.foo.com is. Take me there, please" message and link or button in front of the user making this much more obvious and easy.
so this is apparently already partially covered at fixed bug 402210 A couple of things: 1. why not just redirect? 2. can we please fix up the link to also handle the www.foo.com/bar case so the link actually takes the user to the page they were looking for and not just the tld? 3. can we make it the first thing on the page and not buried in fine print and overshadowed by the big exception button?
I think we should distinguish two scenarios: (a) The user enters an address into the URL bar. In this scenario I agree, your request is reasonable. (b) A user clicks a link that contains query parameters, or a user submits a form. I'm not sure it is always safe to attempt to submit form data to another server than the one originally suggested. If you agree with my concerns, are we able to clearly distinguish (a) and (b) scenarios?
Whiteboard: [psm-cert-errors]
Please see bug 364667 comment 17, and other comments in that bug. Also related, bug 402210.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.