Open
Bug 1112408
Opened 10 years ago
Updated 2 years ago
Firefox should highlight the case of connecting to a server that has a stored security exception and encountering a different certificate than the one stored
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
NEW
People
(Reporter: reuben, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want)
STR:
1) Connect to https://foo.example which uses a self-signed cert
2) Add permanent exception
3) An attacker redirects foo.example to their own server, with a different self-signed cert
In this case, Firefox shows the normal error page with the new certificate. We should highlight the fact that the user stored an exception before but the certificate has changed, as it could indicate something fishy is going on.
Reporter | ||
Updated•10 years ago
|
Summary: Firefox should highlight when connecting to a server that has a stored security exception but changed its certificate → Firefox should highlight the case of connecting to a server that has a stored security exception and encountering a different certificate than the one stored
Thanks for filing this, Reuben.
Blocks: 1029832
Comment 2•10 years ago
|
||
This should probably be a Core PSM or Core Security UI bug. If we can present the warning and allow overrides through the in-content error page then it will be usable in non-Firefox contexts (e.g. Firefox OS, SeaMonkey, Thunderbird, etc).
WDYT David?
Flags: needinfo?(dkeeler)
Seems reasonable, but I'm not sure what you mean by the in-content error page. If you're talking about about:certerror, my understanding of how that is implemented is basically that each product has to re-implement it (so there's really no sharing). See e.g. http://dxr.mozilla.org/mozilla-central/search?q=path%3AaboutCerterror.xhtml&case=true
Flags: needinfo?(dkeeler)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•