Closed Bug 955752 Opened 7 years ago Closed 5 years ago

superstarracing.net does not send complete cert chain (and is POODLE vulnerable)

Categories

(Web Compatibility :: Desktop, defect)

x86_64
Windows 8.1
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: lainema, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

visit https://superstarracing.net/shop it should be trusted under alias ("Certificate Subject Alt Name") from extended verification root name shop.superstarracing.net, but it is not.


Actual results:

Can not visit the website at all, cannot even make an exception to security settings. 


Expected results:

It should have worked/loaded/trusted straight away (works with IE/chrome/opera).
I tested the web site with Firefox 28.0 and with Firefox 31.0 Nightly with mozilla::pkix . On both, the page was shown and EV-valdiated. Can you still reproduce the problem with a newer Firefox version?
A freshly installed windows 8 with 8.1 patch, with a freshly downloaded firefox still produces the same issue. When expanding the technical portion of the untrust:

Technical Details

superstarracing.net uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
Mozilla 29.0  

Opens to display page and sign in with Google Chrome using Version 34.0.1847.116 (260972) 

Warning provided with MozillaFirefox Version: 29.0-20.1 Arch: x86_64 Vendor: openSUSE
According to https://www.ssllabs.com/ssltest/analyze.html?d=superstarracing.net , this site doesn't send the complete cert chain - the intermediate is not sent.

(In reply to RINNTECH from comment #1)
> I tested the web site with Firefox 28.0 and with Firefox 31.0 Nightly with
> mozilla::pkix . On both, the page was shown and EV-valdiated. Can you still
> reproduce the problem with a newer Firefox version?

(In reply to Juha Lainema from comment #2)
> A freshly installed windows 8 with 8.1 patch, with a freshly downloaded
> firefox still produces the same issue. When expanding the technical portion
> of the untrust:
> 
> Technical Details
> 
> superstarracing.net uses an invalid security certificate. The certificate is
> not trusted because no issuer chain was provided. (Error code:
> sec_error_unknown_issuer)

Seems likely that this is due to the intermediate caching that Firefox does. Connections will fail in fresh profiles because the server doesn't correctly send the intermediate, and it hasn't been cached from another source yet.
Status: UNCONFIRMED → NEW
Component: General → Desktop
Ever confirmed: true
Product: Core → Tech Evangelism
Summary: SSL Extended validation using startssl certificate with domain prefix aliases is not trusted → superstarracing.net does not send complete cert chain (and is POODLE vulnerable)
Version: 26 Branch → unspecified
The certificate has expired 
Tue, 02 Dec 2014 10:03:06 UTC (expired 1 year and 8 months ago)   EXPIRED
https://www.ssllabs.com/ssltest/analyze.html?d=superstarracing.net&s=5.189.152.97
It's the same on all browsers.


It doesn't seem to be maintained at all. 
If I go to http://superstarracing.net/
latest news 28th June 2011

Forum link dead.
http://forums.miniclip.com/forumdisplay.php?f=324/

footer showing a 2010.


I will close as WONTFIX
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.