Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convergence ignores Security Exception #123

Closed
ChristophGr opened this issue Nov 20, 2011 · 3 comments
Closed

Convergence ignores Security Exception #123

ChristophGr opened this issue Nov 20, 2011 · 3 comments

Comments

@ChristophGr
Copy link

I connected to the following site:

https://www.wowace.com

It gives a security exception because convergence for some reason receives the certificate from another site https://www.curseforge.com (same company).

www.wowace.com uses an invalid security certificate.

The certificate is only valid for the following names:
  *.curseforge.com , curseforge.com  

(Error code: ssl_error_bad_cert_domain)

However, when I add a security exception, I still cannot connect to that site.
The only way I can is to turn off convergence :(

I looked in the preferences and there is a security exception for https://www.wowace.com:443
The Certificate Name however is *.curseforge.com
@reissmann
Copy link

When turning off convergence and connecting to that site I get redirected to http. Maybe the wrong-cert is related to the SNI issue (#28)?

IMHO ignoring security exceptions is a feature of convergence. There shouldn't be any reason for adding security exceptions when people are using SSL as intended. At the moment it's needed because of all the self-signed or CACert issues. With convergence those issues should be gone in the future.

@ChristophGr
Copy link
Author

On the given site, HTTPS is used only for the login.
Clicking the "sign in" link always redirects to https://www.wowace.com/home/login/?next=http%3A%2F%2Fwww.wowace.com%2F
#28 sounds like a likely explanation.
However I have no way of logging in on the site while convergence is active.

IMHO ignoring security exceptions is a feature of convergence. There shouldn't be any reason for adding security exceptions when people are using SSL as intended. At the moment it's needed because of all the self-signed or CACert issues. With convergence those issues should be gone in the future.

I think that's not the only thing ppl are doing "wrong" when using SSL.
There are also expired certificates or certificates not covering all subdomains.
Some server administrators either don't care or are just plain incompetent.

Nevertheless I might be required to use their service (school, university, partner company, ...)
So security exception should still be possible, but maybe maintained in a separate whitelist.

@moxie0
Copy link
Owner

moxie0 commented Dec 11, 2011

It's SNI, I'm closing this as a duplicate of #28.

@moxie0 moxie0 closed this as completed Dec 11, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ChristophGr @moxie0 @reissmann