903855 - Wrong "Verified by" and organisation information shown in the URL bar for expired SSL certificate

Status: RESOLVED WORKSFORME

(Core Graveyard :: Security: UI, defect)

Description

[Stefan H.]

Attachment: URL-bar with mouse-over displaying wrong information

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130627161625

Steps to reproduce:

1. Open https://whatever.dbclan.de/
2. Add a security exception (abort the following basic auth, it has no effect)
3. Open any SSL (extended validation) verified site (e.g. https://www.paypal.com) in another tab
4. Switch back to the old tab
5. For extended validation certificates pay attention to the organisation name in the bar. In any case mouse-over and then click the lock icon in the URL bar and read the "Verified by" lines.

Tested on Windows 8 (FF v24) and Ubuntu 13.04 (FF v22) in safe mode. Whether the exception is permanent doesn't seem to matter. The Root CA (CACert) is not in my store, also the certificate of whatever.dbclan.de is expired and does not apply to the domain though the latter doesn't seem to matter.

As you need to add a security exception I don't think this is a real security issue. As I can't be sure I chose to err on the side of caution. Feel free to remove the flag if it doesn't apply.


Actual results:

For extended validation certificates the old organisation name is still shown in the url bar. The text and lock is no longer green though. In any case the "Verified by" lines shown in the mouse-over and the pop-over displayed on-click displays the "Verified by" line of the previously shown tab (e.g. "VeriSign, Inc."). The "More information" dialog shows the correct information ("Root CA"). 


Expected results:

No organisation name should be shown in the URL for that domain. The same verified by line should be shown in mouse-over, first-click and the "More information" dialog. Under no circumstances should a "Verified by" line not refer to the tab currently being displayed.

Comment 1

[Matt Wobensmith [:mwobensmith][:matt:]]

All branches 17+ and all platforms. Someone needs to confirm on Fennec, however, as that UI is likely different.

Comment 2

[Stefan H.]

Hi. As the server hosting the domain with the old certificate (whatever.dbclan.de) is going to shutdown on the 14th this month I was wondering whether all needed data for this bug has already been collected or whether I should move the domain+cert to the new host so the sample URL stays available after that date.

Comment 3

[Matt Wobensmith [:mwobensmith][:matt:]]

Hi Stefan. Seeing as the time frame to address this bug is unknown, we'd certainly appreciate a staging URL with the problem for as long as you can provide it. If you have to take it down and - for some reason - can't make a new one, then I guess it'll just be up to us to recreate it or fix it without a sample. Thank you for your patience!

Comment 4

[Stefan H.]

Hi Matt. Moved the domain+cert to the new host. Issue still replicated for me after that so take your time ;) Description above still applies. Only thing that should be different is that there's now no basic auth to abort but that didn't matter anyways.

Comment 5

[Dana Keeler (she/her) (use needinfo) (:keeler for reviews)]

I can't reproduce this on desktop or mobile. We've made a number of changes to how the site identity area works, so I imagine we unintentionally fixed this while doing that.