Wrong "Verified by" and organisation information shown in the URL bar for expired SSL certificate

RESOLVED WORKSFORME

Status

Core Graveyard
Security: UI
RESOLVED WORKSFORME
4 years ago
26 days ago

People

(Reporter: Stefan H., Unassigned)

Tracking

({csectype-spoof, sec-low})

22 Branch
x86_64
All
csectype-spoof, sec-low

Firefox Tracking Flags

(firefox23 affected, firefox24 affected, firefox25 affected, firefox26 affected, firefox-esr17 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 788697 [details]
URL-bar with mouse-over displaying wrong information

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130627161625

Steps to reproduce:

1. Open https://whatever.dbclan.de/
2. Add a security exception (abort the following basic auth, it has no effect)
3. Open any SSL (extended validation) verified site (e.g. https://www.paypal.com) in another tab
4. Switch back to the old tab
5. For extended validation certificates pay attention to the organisation name in the bar. In any case mouse-over and then click the lock icon in the URL bar and read the "Verified by" lines.

Tested on Windows 8 (FF v24) and Ubuntu 13.04 (FF v22) in safe mode. Whether the exception is permanent doesn't seem to matter. The Root CA (CACert) is not in my store, also the certificate of whatever.dbclan.de is expired and does not apply to the domain though the latter doesn't seem to matter.

As you need to add a security exception I don't think this is a real security issue. As I can't be sure I chose to err on the side of caution. Feel free to remove the flag if it doesn't apply.


Actual results:

For extended validation certificates the old organisation name is still shown in the url bar. The text and lock is no longer green though. In any case the "Verified by" lines shown in the mouse-over and the pop-over displayed on-click displays the "Verified by" line of the previously shown tab (e.g. "VeriSign, Inc."). The "More information" dialog shows the correct information ("Root CA"). 


Expected results:

No organisation name should be shown in the URL for that domain. The same verified by line should be shown in mouse-over, first-click and the "More information" dialog. Under no circumstances should a "Verified by" line not refer to the tab currently being displayed.
Component: Untriaged → Security: UI
Product: Firefox → Core
Flags: needinfo?(mwobensmith)
All branches 17+ and all platforms. Someone needs to confirm on Fennec, however, as that UI is likely different.
Status: UNCONFIRMED → NEW
status-firefox23: --- → affected
status-firefox24: --- → affected
status-firefox25: --- → affected
status-firefox26: --- → affected
status-firefox-esr17: --- → affected
Ever confirmed: true
Flags: needinfo?(mwobensmith)
OS: Linux → All
Keywords: sec-low
Keywords: csec-spoof
(Reporter)

Comment 2

4 years ago
Hi. As the server hosting the domain with the old certificate (whatever.dbclan.de) is going to shutdown on the 14th this month I was wondering whether all needed data for this bug has already been collected or whether I should move the domain+cert to the new host so the sample URL stays available after that date.
Hi Stefan. Seeing as the time frame to address this bug is unknown, we'd certainly appreciate a staging URL with the problem for as long as you can provide it. If you have to take it down and - for some reason - can't make a new one, then I guess it'll just be up to us to recreate it or fix it without a sample. Thank you for your patience!
(Reporter)

Comment 4

4 years ago
Hi Matt. Moved the domain+cert to the new host. Issue still replicated for me after that so take your time ;) Description above still applies. Only thing that should be different is that there's now no basic auth to abort but that didn't matter anyways.
Blocks: 950073
No longer blocks: 950073

Updated

2 years ago
Group: core-security → dom-core-security
I can't reproduce this on desktop or mobile. We've made a number of changes to how the site identity area works, so I imagine we unintentionally fixed this while doing that.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

a year ago
Product: Core → Core Graveyard
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.