Open Bug 1112408 Opened 10 years ago Updated 2 years ago

Firefox should highlight the case of connecting to a server that has a stored security exception and encountering a different certificate than the one stored

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: reuben, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want)

STR: 1) Connect to https://foo.example which uses a self-signed cert 2) Add permanent exception 3) An attacker redirects foo.example to their own server, with a different self-signed cert In this case, Firefox shows the normal error page with the new certificate. We should highlight the fact that the user stored an exception before but the certificate has changed, as it could indicate something fishy is going on.
Summary: Firefox should highlight when connecting to a server that has a stored security exception but changed its certificate → Firefox should highlight the case of connecting to a server that has a stored security exception and encountering a different certificate than the one stored
Thanks for filing this, Reuben.
Blocks: 1029832
Keywords: sec-want
This should probably be a Core PSM or Core Security UI bug. If we can present the warning and allow overrides through the in-content error page then it will be usable in non-Firefox contexts (e.g. Firefox OS, SeaMonkey, Thunderbird, etc). WDYT David?
Flags: needinfo?(dkeeler)
Seems reasonable, but I'm not sure what you mean by the in-content error page. If you're talking about about:certerror, my understanding of how that is implemented is basically that each product has to re-implement it (so there's really no sharing). See e.g. http://dxr.mozilla.org/mozilla-central/search?q=path%3AaboutCerterror.xhtml&case=true
Flags: needinfo?(dkeeler)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.