Here's an example of Firefox producing a confusing error message:
https://www.citigroup.com/
Citigroup is using the EV cert of one of their business units,
"citibank.com". This is sloppy of them.
Firefox's warning message:
This Connection is Untrusted
You have asked Firefox to connect
securely to www.citigroup.com, but we can't confirm that your connection
is secure. Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
Technical Details
www.citigroup.com uses an invalid security certificate.
The certificate is only valid for the following names:
icg.citi.com , www.citibank.com
(Error code: ssl_error_bad_cert_domain
For comparison, see Google Chrome's warning message:
This is probably not the site you are looking for!
You attempted to reach www.citigroup.com, but instead you actually
reached a server identifying itself as www.citibank.com. This may be
caused by a misconfiguration on the server or by something more serious.
An attacker on your network could be trying to get you to visit a fake
(and potentially harmful) version of www.citigroup.com.
You should not proceed, especially if you have never seen this warning
before for this site.
John Nagle
SiteTruth
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
