Empty SSL cert causes URL bar identity panel to show wrong details from another page

RESOLVED DUPLICATE of bug 1126675

Status

()

Firefox
Address Bar
--
major
RESOLVED DUPLICATE of bug 1126675
7 years ago
3 years ago

People

(Reporter: Mikolaj Kucharski, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Cert info in URL bar wrong when swiching tab from URL with correctly generated SSL cert to tab with empty SSL cert info.


$ openssl s_client -connect the.bucket.cc:443 2>/dev/null < /dev/null | openssl x509 -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ff:d8:85:c8:f4:3b:94:b3
        Signature Algorithm: sha1WithRSAEncryption
        Issuer:
        Validity
            Not Before: Dec  9 01:07:55 2010 GMT
            Not After : Dec  9 01:07:55 2011 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
...


Reproducible: Always

Steps to Reproduce:
1. open Firefox 4.0.1
2. open in one tab https://bugzilla.mozilla.org/
3. open in second tab https://the.bucket.cc/
4. switch between tabs back and forth
5. look at the url bar, near favicon
6. info there for the.bucket.cc will be shown as mozilla.org

Actual Results:  
Wrong info for when connecting over HTTPS and cert has empty 'Subject' line.

Expected Results:  
Probably no info for site with empty 'Subject' in SSL cert.

It happens for any SSL site. I can to go https://mail.google.com/ and then back to https://the.bucket.cc/ and in URL bar it will there will be info that's cert is signed to google.com. Mouse over that info shows also wrong details.
(Reporter)

Comment 1

7 years ago
Created attachment 530042 [details]
Wroing info in URL bar and in tooltip when mouse is over favicon

See attachment how does it looks in my Firefox.
confirming with FF4.01 on win32
This could be a security problem but in this case you already get a security warning before entering the site due to the self signed certificate.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
yes, showing a certificate from another site on the wrong site sounds like something bad.
Summary: Empty SSL cert and URL bar info wrong → Empty SSL cert and causes URL bar identity info to show wrong details from another page
Summary: Empty SSL cert and causes URL bar identity info to show wrong details from another page → Empty SSL cert causes URL bar identity panel to show wrong details from another page
(Reporter)

Comment 4

7 years ago
That is also happening when you click from site with proper cert to site with empty cert. For example here in this bug report, look at the URL bar identity and click at the following link https://the.bucket.cc/ -- URL bar identity fill not change, and still will be displayed as 'mozilla.org'.
Duplicate of this bug: 769458

Comment 6

3 years ago
Sorry for the forward dupe, but the other bug has more info on why this fails, and a working example (the.bucket.cc doesn't connect over here).
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1126675
You need to log in before you can comment on or make changes to this bug.