Closed
Bug 1214082
Opened 9 years ago
Closed 7 years ago
URL bar highlighting for EV certs truncates long org names
Categories
(Firefox :: Address Bar, defect, P3)
Firefox
Address Bar
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: javaun, Unassigned)
References
Details
(Whiteboard: [fxprivacy])
Attachments
(1 file)
(deleted),
image/jpeg
|
Details |
Firefox is truncating the EV org name highlighting for organizations with very long business entity names. This is a potential security issue.
An example is the Washington. Here's a sample page to see the EV cert truncated.
https://www.washingtonpost.com/blogs/capital-weather-gang/wp/2015/10/01/hurricane-joaquin-strengthens-and-track-shifts-east-flood-threat-for-east-coast/?tid=pm_local_pop_b
Chrome and Opera expand the green org name highlight, which pushes the rest of the address bar to the right.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [fxprivacy][triage]
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
What happens on Chrome and Opera if the org name is longer than the address bar?
Updated•9 years ago
|
Priority: -- → P3
Whiteboard: [fxprivacy][triage] → [fxprivacy]
Updated•9 years ago
|
Comment 3•9 years ago
|
||
For reference, it looks like this behaviour was intentionally introduced in Bug 429722 and Bug 455334.
Comment 4•8 years ago
|
||
I think we should wontfix this. You can get the complete security information by clicking the blob. We should make sure we leave enough space for the URL. Tanvi, thoughts?
Flags: needinfo?(tanvi)
Updated•8 years ago
|
Component: General → Location Bar
Comment 5•7 years ago
|
||
I say won't fix. cc'ing jsavory as well. And jcjones who may have a better idea of whether or not this is a real phishing risk.
Flags: needinfo?(tanvi)
Flags: needinfo?(jsavory)
Flags: needinfo?(jjones)
Comment 6•7 years ago
|
||
Tthe risk is about name confusable EV organization names being used for phishing. In theory, CAs issuing EV certificates should be aggressively evaluating company name similarities before issuing certificates, which would mitigate to some extent.
Anyway, I'm comfortable with the risk/reward calculus here going to wontfix since CAs are on the hook to protect EV certs from use in phishing, and this is how we've always worked.
Flags: needinfo?(jjones)
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Flags: needinfo?(jsavory)
Comment 8•7 years ago
|
||
Personally I don't agree with this wontfix:
- I would agree with you if there wasn't a maximum length for the Organization Name. However there is a maximum length and it is only 64 characters. **It's not difficult to accomodate 64 characters in the address bar.**
- The other browsers (e.g. Chrome, Safari) are not truncating the text.
- The full name would make the browsing safer.
- The full name would also be esthetically pleasing (compared to the truncated name).
You need to log in
before you can comment on or make changes to this bug.
Description
•