new ssl_error_bad_cert_domain error window

sdwilsh · Post by **sdwilsh** » October 10th, 2007, 8:28 am

bizarrojack wrote:Could we please just work back from possible attack vectors, as opposed to preventing the display of (mostly) harmless content (convincing lies notwithstanding*)?

Sure. I can't tell you how many times I've seen people think that it is safe to enter credit card information on a page solely because there is a little lock icon. I've seen people even think it was safe when the lock was there but not actually in the locked state (like what happens with an invalid cert).

chob · Post by **chob** » October 10th, 2007, 9:23 am

FWIW

#399275 [Core:Security: PSM]-create preference which restores per-page SSL error override option for IT professionals [All]

Please, no advocacy comments!

edit: It also looks like some stuff is going on in

#399324 [Firefox:Security]-can't view Microsoft SSL sites because the issuer is unknown [All]

which, if anything comes from it, might make some sites that are currently throwing an SSL error page to work as expected.

yagood · Post by **yagood** » October 10th, 2007, 10:35 am

Same for:

https://direct.openmoko.com/

Works fine on Firefox 2.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007100904 Minefield/3.0a9pre

TwelveBaud · Post by **TwelveBaud** » October 10th, 2007, 10:46 am

The "Try Again" button on SSL error pages is kinda pointless since in most cases it will always re-fail.

a;skdjfajf;ak · Post by **a;skdjfajf;ak** » October 11th, 2007, 6:50 am

Some interesting reading here on this issue:

https://bugzilla.mozilla.org/show_bug.cgi?id=399324

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007101104 Minefield/3.0a9pre Firefox/3.0 ID:2007101104

Gyges · Post by **Gyges** » October 11th, 2007, 9:35 am

I ran into this issue at a most surprising place. My local public library. It seems that their certificate for accessing the library's wireless network was invalid. I was eventually able to get in, but I had to load up the library's homepage in IE7, give an email address and installed the certificate in IE7.

After a reboot, I could access the library wireless in Minefield.
Turns out it was not an invalid certificate, just one that required a log in.
I even got to keep a copy of the certificate, just in case.

Dorsan · Post by **Dorsan** » October 15th, 2007, 1:25 am

Arrrgh!!!

I have to add exceptions for every internal self signed site in my workplace. Sucks.

Firefox is meant to give the web back to the user not tell them what they can view and not view.

So it's cool to block the website totally from view on this error/warning but the "try again" should have a "But I trust this site anyway" button beside it. Or a "Who do you think you are telling me what I can look at" button.

Sorry, needed to vent.

aiing · Post by **aiing** » October 16th, 2007, 12:46 am

This has pretty much made minefield unusable at my workplace and I have already had to go back to FF2. The amount of hardware devices that have self signed certs here is a lot and this has effectively blocked access to all of them. The workaround of adding exceptions is stupid and completely unusable.

colfer · Post by **colfer** » October 25th, 2007, 6:37 pm

Update on the problem of broken SSL sites working sometimes but not other times.
One of the issues discussed in this thread is about sites that validate only if you have already visited another site that has the rest of the cert chain. Biglumber and GoDaddy. Firefox 2 remembers chains until the the browser is closed.

I thought Bug 399045 was filed to make it so visiting GoDaddy first will not validate the cert. As it turns out, the bug was fixed to make it so Firefox remembers chains even after the browser is closed. So now visiting GoDaddy will validate the BigLumber broken cert anytime in the future. This matches more or less IE's behavior, and makes it less likely a site will work unpredictably. But there is still some gap between behavior in FF and IE. You still have to visit the "GoDaddy" of the cert once, and a webmaster would be unlikely to know this. IE might work because the user had gone to GoDaddy in IE, but not in Firefox (or was using a fresh profile in Firefox?). That would create a mysterious FF/IE difference, even with the new FF code.

But just to make it extra hard, IE uses an additional validation method for broken cert chains, one that none of the other browsers use, called AIA. See Bug 399324 on that and a discussion on whether to support it.

Are the certs stored in the profile?

All this is about filling in broken chains. It was in memory, now it's in a database.

The lack of override on SSL warnings is another issue, new to Firefox 3. That will be the big argument methinks.

pi-rho · Post by **pi-rho** » November 8th, 2007, 5:17 pm

chob wrote:If a website can no longer be accessed, then the webmaster should use a valid cert on a properly configured server, or not use SSL at all. Otherwise, what is the point of it?

If you seriously think that the point of SSL is to verify identity, you've already drank the kool-aid and there is no help for you. The point of SSL is to encrypt a session between endpoints. A valid SSL cert really only means that you paid a big company for a signed block of text.

I think its great that mozilla devs wanna protect users from malicious sites, but this 'ssl_error_bad_cert_domain' error page stuff is just stupid. It needs to show a decent error message and give the user options.

Jadugar · Post by **Jadugar** » November 8th, 2007, 9:06 pm

pi-rho wrote:I think its great that mozilla devs wanna protect users from malicious sites, but this 'ssl_error_bad_cert_domain' error page stuff is just stupid. It needs to show a decent error message and give the user options.

I won't get into details but I agree with you in an 'ideal' world sort of way. Problem is, we don't live in a ideal world or anywhere even remotely close to an ideal world and thus have to adopt practices that work in the real world as opposed to in a world that doesn't exist and has never existed atleast in human history. You might want to check the various discussions especially in the various bugs that has lead to the current state of development.

Dolske · Post by **Dolske** » November 8th, 2007, 11:11 pm

pi-rho wrote:If you seriously think that the point of SSL is to verify identity, you've already drank the kool-aid and there is no help for you. The point of SSL is to encrypt a session between endpoints. A valid SSL cert really only means that you paid a big company for a signed block of text.

I think its great that mozilla devs wanna protect users from malicious sites, but this 'ssl_error_bad_cert_domain' error page stuff is just stupid. It needs to show a decent error message and give the user options.

Well... There are indeed common misconceptions about SSL, Identify, and Trust. However, certs *are* needed to verify that the encrypted connection is being established with the correct endpoint. The stricter checks guard against network attacks, not so much malicious sites: If you go to https://bank.com, that may or may not be your neighborhood bank, but SSL ensures that the connection isn't being hijacked by some guy futzing with the WiFi connection you're using at the coffee shop.

colfer · Post by **colfer** » November 9th, 2007, 11:01 am

Speaking of certs that don't verify your identity, does anyone know if the $20 GoDaddy SSL cert works without warnings, blockings, etc? In other words, does it specify the full chain in the standard way that Mozilla accepts?

The original bug on this mess was about biglumber.com and the chain depending on a cached visit to GoDaddy.

Does the identity verification of more expensive certs really do anything for the user? I mean, if it says "citibank.com" in the address bar, you figure they're using whatever cert they want to, it's still Citibank. Have the cert authorities ever actually invalidated a cert for phishing? Hope so. Did it depend on whether it was a $20 cert or an $80 cert or a $400 cert (the cheapest one at Verisgn)? If you buy the $20 cert will GoDaddy invalidate you due to a random spam complaint from an AOL user? What if you buy GoDaddy's $80 cert, which has some identity validation?

Dolske · Post by **Dolske** » November 10th, 2007, 1:15 am

Jesse Ruderman recently <A href="http://www.squarefree.com/2007/06/18/https-for-wwwsquarefreecom/">blogged</a> about setting up SSL on his site. It mentions his costs, although one can apparently do better by shopping around.

As I understand it, the issues with certificate chains are largely due to server configuration issues. You're supposed to install the intermediate certs on your server (eg, as <a href="https://certificates.godaddy.com/InstallationInstructions_alt.go">GoDaddy describes</a>), but because of how different browsers work you can sometimes skip that step and have it work in one browser but not another.

Certificate issuance isn't tied to site content, so it really has little to do with phishing or spam. Using a domain that mimics another (paypal-credit-card-no-really-this-is-legit-i-swear.com) is more of an issue of domain name registration/ownership. As it turns out, people are easily phished even from obviously phony domains, so most phishers don't bother with SSL at all (yet?).

colfer · Post by **colfer** » November 10th, 2007, 2:54 am

So if paypal-credit-card-no-really-this-is-legit-i-swear.com bought a $400 cert from Verisign, and someone pointed out to Verisign that it was a phishing site, they would not invalidate the cert? Same question for GoDaddy.

Thanks for the other info about chains; that makes sense.