Open Bug 913787 Opened 12 years ago Updated 3 years ago

OCSP servers DNS names should only be looked up as FQDN

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
24 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: bjoern, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release) Build ID: 2013081600 Steps to reproduce: I looked at tons of DNS lookups being done Firefox/Thunderbird. Actual results: Looking at wireshark for useless DNS lookups reveals insane (and maybe dangerous) DNS lookups like "ocsp.startssl.com.my.dns.searchlist". Expected results: Firefox and Thunderbird should always look up the DNS names of OSCP servers as FQDN (with trailing dot). The DNS searach list should not be used as it might lead to faked servers or be used for DOS attacks in those environments for SSL sites that use OSCP. In any case it is also useless traffic that is being generated.
Component: Untriaged → Security
OS: Linux → All
Hardware: x86 → All
Product: Firefox → Core
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.