Closed Bug 903855 Opened 11 years ago Closed 8 years ago

Wrong "Verified by" and organisation information shown in the URL bar for expired SSL certificate


(Core Graveyard :: Security: UI, defect)

22 Branch
Not set


(firefox23 affected, firefox24 affected, firefox25 affected, firefox26 affected, firefox-esr17 affected)

Tracking Status
firefox23 --- affected
firefox24 --- affected
firefox25 --- affected
firefox26 --- affected
firefox-esr17 --- affected


(Reporter: dd0t, Unassigned)


(Keywords: csectype-spoof, sec-low)


(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130627161625

Steps to reproduce:

1. Open
2. Add a security exception (abort the following basic auth, it has no effect)
3. Open any SSL (extended validation) verified site (e.g. in another tab
4. Switch back to the old tab
5. For extended validation certificates pay attention to the organisation name in the bar. In any case mouse-over and then click the lock icon in the URL bar and read the "Verified by" lines.

Tested on Windows 8 (FF v24) and Ubuntu 13.04 (FF v22) in safe mode. Whether the exception is permanent doesn't seem to matter. The Root CA (CACert) is not in my store, also the certificate of is expired and does not apply to the domain though the latter doesn't seem to matter.

As you need to add a security exception I don't think this is a real security issue. As I can't be sure I chose to err on the side of caution. Feel free to remove the flag if it doesn't apply.

Actual results:

For extended validation certificates the old organisation name is still shown in the url bar. The text and lock is no longer green though. In any case the "Verified by" lines shown in the mouse-over and the pop-over displayed on-click displays the "Verified by" line of the previously shown tab (e.g. "VeriSign, Inc."). The "More information" dialog shows the correct information ("Root CA"). 

Expected results:

No organisation name should be shown in the URL for that domain. The same verified by line should be shown in mouse-over, first-click and the "More information" dialog. Under no circumstances should a "Verified by" line not refer to the tab currently being displayed.
Component: Untriaged → Security: UI
Product: Firefox → Core
Flags: needinfo?(mwobensmith)
All branches 17+ and all platforms. Someone needs to confirm on Fennec, however, as that UI is likely different.
Ever confirmed: true
Flags: needinfo?(mwobensmith)
OS: Linux → All
Keywords: csec-spoof
Hi. As the server hosting the domain with the old certificate ( is going to shutdown on the 14th this month I was wondering whether all needed data for this bug has already been collected or whether I should move the domain+cert to the new host so the sample URL stays available after that date.
Hi Stefan. Seeing as the time frame to address this bug is unknown, we'd certainly appreciate a staging URL with the problem for as long as you can provide it. If you have to take it down and - for some reason - can't make a new one, then I guess it'll just be up to us to recreate it or fix it without a sample. Thank you for your patience!
Hi Matt. Moved the domain+cert to the new host. Issue still replicated for me after that so take your time ;) Description above still applies. Only thing that should be different is that there's now no basic auth to abort but that didn't matter anyways.
Group: core-security → dom-core-security
I can't reproduce this on desktop or mobile. We've made a number of changes to how the site identity area works, so I imagine we unintentionally fixed this while doing that.
Closed: 8 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.