Yeah, this is one of those edge cases where certs just don't do a good
job. you have to remember (or learn) that when certificates were
invented, they were invented by the telecommunications companies back in
the days when people had one telephone line, one number, one family
unit, and that was that. The x.509 product was all designed around the
number ONE. iow, it is pre-Internet.
Certs are very bad at handling multiple names. There is the SAN
extension, which is used in this instance, but anyone trying to use a
cert with multiple names discovers that the name list is also quite
dynamic. And certs aren't dynamic, they are designed to be static, c.f.
their ONE use case.
So this is one of those cases where the browser is right, *and* the user
is right, and they are both in disagreement. It is very hard to design
the right message here.
(The CA concerned hasn't fully understood the situation, but they're big
enough and ugly enough to pay for their own brand advice.)
iang
On 19/04/12 06:27 AM, John Nagle wrote:
Here's an example of Firefox producing a confusing error message:
https://www.citigroup.com/
Citigroup is using the EV cert of one of their business units,
"citibank.com". This is sloppy of them.
Firefox's warning message:
This Connection is Untrusted
You have asked Firefox to connect
securely to www.citigroup.com, but we can't confirm that your connection
is secure. Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
Technical Details
www.citigroup.com uses an invalid security certificate.
The certificate is only valid for the following names:
icg.citi.com , www.citibank.com
(Error code: ssl_error_bad_cert_domain
For comparison, see Google Chrome's warning message:
This is probably not the site you are looking for!
You attempted to reach www.citigroup.com, but instead you actually
reached a server identifying itself as www.citibank.com. This may be
caused by a misconfiguration on the server or by something more serious.
An attacker on your network could be trying to get you to visit a fake
(and potentially harmful) version of www.citigroup.com.
You should not proceed, especially if you have never seen this warning
before for this site.
John Nagle
SiteTruth
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
