Closed
Bug 481571
Opened 16 years ago
Closed 5 years ago
location bar displays site identity as tld, even though cert is only valid for subdomain
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: sayrer, Assigned: johnath)
References
Details
(Keywords: sec-want, Whiteboard: [sg:want])
bugzilla.mozilla.org's cert is valid for *.mozilla.org
mail.google.com's cert is valid for mail.google.com
The location bar display for mail.google.com is wrong.
Updated•16 years ago
|
Component: Location Bar and Autocomplete → Security
OS: Mac OS X → All
QA Contact: location.bar → firefox
Hardware: x86 → All
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•16 years ago
|
||
This isn't quite the same as bug 471802.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Reporter | ||
Comment 3•16 years ago
|
||
This isn't quite the same as bug 471802.
Comment 4•16 years ago
|
||
Oh, you want browser.identity.ssl_domain_display set to 2 (host) instead of 1 (domain) by default, at least for the non-wildcard case?
Comment 5•16 years ago
|
||
That would be wrong perhaps. First of all google uses a really backward certificate with no SAN entries. Settings the pref to 2 would be wrong too for site which has entries like
domain.com
sub.domain.com
more.domain.com
in the certificate's SAN DNS extension.
Comment 6•16 years ago
|
||
I don't think it's a problem for the location bar to show only the base domain, it's a space-saving compromise that positively indicates the SSL state (a few blue pixels was insufficient) while secondarily helping users parse the most significant parts of the domain (as "Locationbar2" was supposed to do). Showing the full host can take up too much space as well as help phishers by pushing incriminating clues out of view.
Larry, however, shouldn't compromise. If users click Larry open to get detailed information then Larry should give them that detail and tell the user exactly what we have validated. That is the bug, IMHO.
Comment 7•16 years ago
|
||
(In reply to comment #6)
> while secondarily helping users parse the most
> significant parts of the domain (as "Locationbar2" was supposed to do).
bug 451833, btw.
Comment 9•16 years ago
|
||
Now that the almost (but not quite) redundant SSL hostname is being taken out of the status bar does that raise the importance of having Larry not lie when you open him? For this site he says "You are connected to mozilla.org". I am not, I am "connected" to bugzilla.mozilla.org.
It may be run by the same folks, but if that's what we mean we could change the wording to "You are connected to a host which may be run by mozilla.org. (Or maybe not, but mozilla.org could MITM it anyway)"
Assignee: nobody → johnath
Flags: blocking-firefox3.5?
Whiteboard: [sg:want]
Assignee | ||
Comment 10•16 years ago
|
||
Dan - so I think what you're asking for is different from the original request in this bug, isn't it? I think the original request was that the location bar display reflect the degree-of-verification in the cert, whereas you seem to be proposing that the popup reflect the actual domain, regardless of the cert content.
It's a trivial change to have the popup include the full domain (without inspecting the cert, I mean), but I wonder if that is just going to be differently confusing, to have the two pieces of the same UI saying different things?
Comment 11•16 years ago
|
||
Not blocking, but we'd take a patch that does what comment 1 implies, which is:
In the identity button, always show the smaller piece (eTLD)
In Larry's drop down:
- for wildcard certs, show the part after the wildcard
- for non-wildcard certs, show the domain for which the cert applies
Flags: wanted-firefox3.5+
Flags: blocking-firefox3.5?
Flags: blocking-firefox3.5-
Comment 12•5 years ago
|
||
(Working my way through old security bugs) I think this is invalid now, do you agree?
Flags: needinfo?(jhofmann)
Comment 13•5 years ago
|
||
Yeah
Status: REOPENED → RESOLVED
Closed: 16 years ago → 5 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•