Issue A domain mismatch SSL error is presented to any user browsing to https://mozilla.com or https://mozilla.org. Our wildcard certificate is valid for *.mozilla.com or *.mozilla.org. This works great for all situations including https://www.mozilla.com. However, it does not accommodate the scenario where a user specifically types https://mozilla.com (or a link is created to that location). This scenario can create a risk if users regularly see the SSL error message and become trained to click through the error. This may make them more prone to a MITM attack against a site where they actually enter sensitive information. In addition, SSL error messages can result bad press amongst the technical community. To reproduce: Browse to https://mozilla.com/en-US/firefox/personal.html or https://mozilla.org Recommended Remediation There are two methods to remediate this issue: 1. Purchase an additional certificate for https://mozilla.com and https://mozilla.org 2. Use redirects or server rewrites to automatically send a user to the "www" version of the https page. In order to avoid the SSL error message this must be designed so the user is redirected before the SSL handshake occurs. (See https://mozilla.org/access which redirects to http://www.mozilla.org/access)

This is not a security issue. (In reply to comment #0) > There are two methods to remediate this issue: > 1. Purchase an additional certificate for https://mozilla.com and > https://mozilla.org See bug 398923 and related bugs. > 2. Use redirects or server rewrites to automatically send a user to the "www" > version of the https page. In order to avoid the SSL error message this must be > designed so the user is redirected before the SSL handshake occurs. (See > https://mozilla.org/access which redirects to http://www.mozilla.org/access) That is not possible.

Not sure I agree with claim this isn't a security issue. The situation can be leveraged by attackers to the detriment of our users. Re suggestion 2, a valid cert is required via subject alternate name or separate cert. So, agreed - wouldn't be possible in current situation None-the-less, it is a duplicate.