new ssl_error_bad_cert_domain error window

Discussion about official Mozilla Firefox builds
User avatar
mdew
Posts: 366
Joined: March 2nd, 2005, 2:34 am

new ssl_error_bad_cert_domain error window

Post by mdew »

Must be pretty recent (3-4 days), I cannot login to the exchange server, and get this error:

Image

Any way to avoid this via about:config?
old zeniko
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by old zeniko »

That's due to bug 327181. The intention is that it should be quite difficult to work around invalid/expired/etc. certificates, thus there's not even a switch in about:config. See https://bugzilla.mozilla.org/show_bug.cgi?id=327181#c115 for how to get past that warning for a single domain, though.
firemedic11
Posts: 63
Joined: December 3rd, 2005, 4:37 pm
Location: Indiana, USA

Post by firemedic11 »

I can tell you this bug 327181 in it's current state would be enough for the common user to go back to the Evil Empires IE or another browser so they do not to have to try and find a work around! just my 2cents.
Firefox/Thunderbird Is the Best!!!! Most of the time
User avatar
a;skdjfajf;ak
Posts: 17002
Joined: July 10th, 2004, 8:44 am

Post by a;skdjfajf;ak »

Strange, this site is blocked by Minefield, but IE 7 on Vista HP allows it to load:
https://www.biglumber.com/x/web?mp=1

How is that 'parity' ? I really don't understand all this stuff much.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007100804 Minefield/3.0a9pre Firefox/3.0 ID:2007100804

EDIT: Bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=399019
oldtimer
Posts: 827
Joined: July 9th, 2004, 1:48 pm

Post by oldtimer »

Littlemutt, neither do I @ understanding this stuff that much. But while it appears IE is being the 'cool' parent, Firefox is being the strict parent going 'Don't do as you saw, do as I say'. Lead by my example, don't take shortcuts and so on.

It's like we're trying to teach websites that establish themselves in this manner or have lazy webmasters that don't renew expired certificates that they get a 'time out'... permanently... until they clean up their act. So maybe this is another 'zero tolerance' policy we're implementing much like the new security for addons, where addons on the web & previously saved/archived addons can not be installed due to missing a [SSL] httpS url (yes, I know of the pref - But a exception needs to be made for not checking locally saved files into a longterm solution).
Current: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112000 Minefield/3.0b2pre
For kicks: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
User avatar
a;skdjfajf;ak
Posts: 17002
Joined: July 10th, 2004, 8:44 am

Post by a;skdjfajf;ak »

The bug has been marked 'INVALID', but something still seems to be amiss when the site works if you visit godaddy.com first - how are we the end user supposed to know that?

EDIT: well now the bug has been reopened and the discussion continues.
New bug filed: https://bugzilla.mozilla.org/show_bug.cgi?id=399045
which has some interesting turns as well.

I hate to think if this is not 'fixed' or something, the number of complaints about sites working one time and not the next, then suddenly working again just because you visited some site that got it 'right'. Yikes!
User avatar
colfer
Posts: 643
Joined: December 4th, 2002, 9:34 am
Location: Bear

Post by colfer »

Yeah, so the original bug 399019 is now marked Tech Evangelism ("webmaster fix your server"), and a new bug 399045 was filed to make it so visiting GoDaddy first will not validate the cert (which makes sense).

This business of giving no override dialog is based on the reasoning that 95% of users always click OK. On the other hand, wouldn't that 5% be enough of a user base to alert the webmasters and/or fraud authorities what is going on? So maybe that's not protection enough, and no warning dialog is harsh enough. Type in "I agree" here... that kind of thing?

What are the scenarios for a bad guy faking a cert? The ones I can think of are a phishing email or a XSS frame.

Cheap certs don't verify the business info anyway, and they will validate fine. Mainly SSL just gives you encryption, and a sanity check on whether the servers have been hijacked since the last time you visited the site.
chob
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post by chob »

firemedic11 wrote:I can tell you this bug 327181 in it's current state would be enough for the common user to go back to the Evil Empires IE or another browser so they do not to have to try and find a work around! just my 2cents.

One would hope people associate firefox with secure browsing, and so if firefox denies them access to a site on security grounds, they should take note and do without that site. If they go to the site in another browser then I would hope they realise they are taking a risk.
User avatar
pi-rho
Posts: 12
Joined: July 5th, 2005, 4:36 pm

Post by pi-rho »

Give a big nasty error. Make it really scary. Offer to spam the webmaster with hate filled emails. Whatever. If someone wants to continue on to a site at that point, they should be able to. Firefox is a web browser not a nanny.
Last edited by DanRaisch on January 31st, 2012, 5:49 am, edited 1 time in total.
Reason: Edited for language.
Johnny_Sun
Posts: 124
Joined: August 7th, 2003, 8:08 pm

Post by Johnny_Sun »

But how can I "take the risk" if I want to? I want to access a site I can definitely trust although it doesn't have a valid cert. How can do that with new build now?
chob wrote:
firemedic11 wrote:I can tell you this bug 327181 in it's current state would be enough for the common user to go back to the Evil Empires IE or another browser so they do not to have to try and find a work around! just my 2cents.

One would hope people associate firefox with secure browsing, and so if firefox denies them access to a site on security grounds, they should take note and do without that site. If they go to the site in another browser then I would hope they realise they are taking a risk.
chob
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post by chob »

Johnny_Sun wrote:But how can I "take the risk" if I want to? I want to access a site I can definitely trust although it doesn't have a valid cert. How can do that with new build now?

Zeniko's already mentioned that the work-around is in bug 327181 comment 115.

pi-rho wrote:This is bullshit. Give a big nasty error. Make it really scary. Offer to spam the webmaster with hate filled emails. Whatever. If someone wants to continue on to a site at that point, they should be able to. Firefox is a web browser not a fricken nanny.

Out of the box, firefox 2 protects its users against phishing. Firefox 3 will also protect its users from malware and now also from such dodgy security certs. The fact is most* of our users need protected from themselves when it comes to surfing the web because they can't tell the difference between a good site and a bad site.

(*obviously not clever people like you who know what a browser is, an internet is, a security certificate is, and can make judgements based on technical information the browser may present to you. I'm talking about the 95% of our new-fish users who don't care about computer crap and just want to surf the web safely.)

If a website can no longer be accessed, then the webmaster should use a valid cert on a properly configured server, or not use SSL at all. Otherwise, what is the point of it?

Anyway, there's plenty of discussion on the newsgroups and in bug 327181 if you want to understand the thinking behind this, and there's a work-around; and i guess it's something an extension might be able to add back into firefox, if you really deal with sites with dodgy certs so regularly.
bizarrojack
Posts: 282
Joined: December 29th, 2003, 1:35 pm

Post by bizarrojack »

Could we please just work back from possible attack vectors, as opposed to preventing the display of (mostly) harmless content (convincing lies notwithstanding*)? Wouldn't it be better if cookies, javascripts, downloading of .exe files, etc. were blocked instead of all plain old HTML content? I agree that people's tendency to click "OK" without reading or understanding SSL error messages is a serious problem that requires a change in how things are done, but 99% of the time there is no real threat. I think that a red location bar and those other various limitations would get the message across and prevent real exploits while not hamstringing your casual browsing. Obviously this other stuff I'm talking about is much more complex than just closing the connection, but I don't want to place an arbitrary barrier between myself and just seeing content. I'll just use Opera, firefox 2, or wget, if there's something I might want from some ghetto SSL site.

Also, how am I supposed to get the webmaster's email address if I can't even read the page, anyway? (If anyone says "webmaster@domain rfc blah blah blah," I am familiar with it, but it pretty much never works)

* I think there is a big difference between pure "computer security" issues and being the "information police" or something. Plenty of reputable SSL certificate owners tell lies all the time, and I think it is something that the computer illiterate everyman is already familiar with, and firefox doesn't enter that equation.
User avatar
a;skdjfajf;ak
Posts: 17002
Joined: July 10th, 2004, 8:44 am

Post by a;skdjfajf;ak »

Bizarrojack wrote:
Also, how am I supposed to get the webmaster's email address if I can't even read the page, anyway? (If anyone says "webmaster@domain rfc blah blah blah," I am familiar with it, but it pretty much never works)


To say nothing of not being able to access said site and the 'Report Broken Web-Site' function. Launching the report will not allow an insert of a bad URL.

Gets more Catch-22 all the time.
chob
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post by chob »

Littlemutt wrote:To say nothing of not being able to access said site and the 'Report Broken Web-Site' function. Launching the report will not allow an insert of a bad URL.

Gets more Catch-22 all the time.

I don't know what you mean by this, do you have steps to reproduce? If i go to such a site, eg https://pdn.palm.com/ or http://server.scottellis.com.au/ and then Help > Report Broken Website, the Web Site URL is populated with the correct address for me.
User avatar
a;skdjfajf;ak
Posts: 17002
Joined: July 10th, 2004, 8:44 am

Post by a;skdjfajf;ak »

chob wrote:
Littlemutt wrote:To say nothing of not being able to access said site and the 'Report Broken Web-Site' function. Launching the report will not allow an insert of a bad URL.

Gets more Catch-22 all the time.

I don't know what you mean by this, do you have steps to reproduce? If i go to such a site, eg https://pdn.palm.com/ or http://server.scottellis.com.au/ and then Help > Report Broken Website, the Web Site URL is populated with the correct address for me.


Well, now I can't get it to fail. Was getting a URL yesterday not even related to the failed cert site.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007101005 Minefield/3.0a9pre Firefox/3.0 ID:2007101005
Post Reply