Closed Bug 1214082 Opened 9 years ago Closed 7 years ago

URL bar highlighting for EV certs truncates long org names

Categories

(Firefox :: Address Bar, defect, P3)

defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: javaun, Unassigned)

References

Details

(Whiteboard: [fxprivacy])

Attachments

(1 file)

Firefox is truncating the EV org name highlighting for organizations with very long business entity names. This is a potential security issue. An example is the Washington. Here's a sample page to see the EV cert truncated. https://www.washingtonpost.com/blogs/capital-weather-gang/wp/2015/10/01/hurricane-joaquin-strengthens-and-track-shifts-east-flood-threat-for-east-coast/?tid=pm_local_pop_b Chrome and Opera expand the green org name highlight, which pushes the rest of the address bar to the right.
Whiteboard: [fxprivacy][triage]
Attached image ev_cert_bar.jpg (deleted) —
What happens on Chrome and Opera if the org name is longer than the address bar?
Priority: -- → P3
Whiteboard: [fxprivacy][triage] → [fxprivacy]
Blocks: 1216897
For reference, it looks like this behaviour was intentionally introduced in Bug 429722 and Bug 455334.
I think we should wontfix this. You can get the complete security information by clicking the blob. We should make sure we leave enough space for the URL. Tanvi, thoughts?
Flags: needinfo?(tanvi)
Component: General → Location Bar
I say won't fix. cc'ing jsavory as well. And jcjones who may have a better idea of whether or not this is a real phishing risk.
Flags: needinfo?(tanvi)
Flags: needinfo?(jsavory)
Flags: needinfo?(jjones)
Tthe risk is about name confusable EV organization names being used for phishing. In theory, CAs issuing EV certificates should be aggressively evaluating company name similarities before issuing certificates, which would mitigate to some extent. Anyway, I'm comfortable with the risk/reward calculus here going to wontfix since CAs are on the hook to protect EV certs from use in phishing, and this is how we've always worked.
Flags: needinfo?(jjones)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Flags: needinfo?(jsavory)
Personally I don't agree with this wontfix: - I would agree with you if there wasn't a maximum length for the Organization Name. However there is a maximum length and it is only 64 characters. **It's not difficult to accomodate 64 characters in the address bar.** - The other browsers (e.g. Chrome, Safari) are not truncating the text. - The full name would make the browsing safer. - The full name would also be esthetically pleasing (compared to the truncated name).
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: