search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.84k stars 191 forks source link

invalid-expected-sct.badssl.com doesn't yield the expected error in Firefox #365

Closed jsoref closed 6 years ago

jsoref commented 6 years ago

Chrome says:

Attackers might be trying to steal your information from invalid-expected-sct.badssl.com (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED Subject: invalid-expected-sct.badssl.com

Firefox says:

invalid-expected-sct.badssl.com uses an invalid security certificate. The security certificate for invalid-expected-sct.badssl.com is not trustworthy because the issuing organization failed to follow security practices. Certificates issued by Symantec, including the Thawte, GeoTrust, and RapidSSL brands, are not considered safe. Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

I don't think there's anything horribly wrong w/ Firefox's error stance here. (And in fact, I'd kind of expect this to be the preferred error case for this certificate from all browsers.)

I'm not sure if you can get a valid new certificate which has the properties you desire, but it would be nice if the certificate that was offered was unambiguous in its error count and specifically only yielded the SCT item.

lgarron commented 6 years ago

I believe this is the same as https://github.com/chromium/badssl.com/issues/358

jsoref commented 6 years ago

Oops, sorry