Ian G wrote (quoting me):
RFC 2818 (which is informational, NOT a proposed standard, but which reads like a proposed standard) in section 3.1 only allows * (not |) and that is all IE supports.
So for us users, we should stick to using * as we still have to deal with the majority of the world using IE.
I agree with that.
BTW, I believe FF's present behavior of showing the user-selected DNSname, given that it matches one of the cert's DNSnames, is the correct behavior.
This reads as if you believe the status bar should only show names that it has matched from the certificate.
Yes! As I read this thread, other suggestions had included things like a) displaying names like "mecha|rheet.mozilla.org" which users will surely not understand, b) displaying a list of the names found in the cert. It would be useful for the user to be able to see that list if he wishes, but not (IMO) for purposes of saying in the status bar "you're connected to this host".
The exceptional case that started this thread is that FF shows a URL-derived hostname in the status bar, one which is not in the cert.
This occurs when the user clicks-thru the popup warning dialog that indicates that the cert failed the test.
What's your call on what the status bar should show then?
* show nothing? * show some cert name (being different to the URL)? * show something from the URL (different to the cert)?
I think either a) show nothing, b) show "server name unverified"
However, I have seen cases where the name shown in the status bar and in related security dialogs did NOT match the name in the requested URL. There are bugs filed about this.
Ah, this sounds similar. If I get a chance I'll search for those bugs.
See http://www.mozilla.org/security/announce/mfsa2005-14.html for some bugs like this that have been fixed recently. The problem described there is that an http site forwarded the browser to an SSL server that wasn't a fully working https server. That SSL server completed the SSL handshake, but the http transaction didn't finish. Somehow the browser ended up in a state where it continued to show the page contents of the http server, and showed the http server's DNSname in the status bar next to a locked lock icon. Clicking on that lock icon showed a dialog saying that the http server's DNSname has been certified by the issuer of the cert from the SSL server. This was fixed in FF 1.0.1 according to http://www.mozilla.org/projects/security/known-vulnerabilities.html
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
