"Firefox blocks the access to site, I think most of other browsers do not."
www.paypal.com returns a valid certificate. Chromium based browsers redirect to there. Firefox doesn't redirect there unless you first visit www.paypal.com. Once you have visited www.paypal.com in Firefox, paypal.com gets redirected there.
This is not my area of technical expertise so why things get redirected one way versus the other I don't know, this is just the behavior I have observed.
> Because secure browsers like Chrome require certificate transparency for it to trust the cert.
And if it was found out to be fraudulent? "Secure" Chrome would do f***all unless you're PayPal while "insecure" Firefox always checks if the certificate is still valid.
"Firefox does not trust this site because it uses a certificate that is not valid for magmalabs.io. The certificate is only valid for the following names: m.magmalabs.io, www.magmalabs.io
I get a security warning for bad cert domain when I visit that in Firefox but not in Chrome, odd, probably just a difference in default handling behavior for a particular case.
Is it possible that you’re using a canary version of Chrome? Check chrome://version/, for me I see version 69 and I can go to https://www.paypal.com/ and see that the Symantec EV cert is still valid, which was issued in 2017. In particular, if you see version 70, I would expect you to get errors visiting PayPal, just like the roadmap says.
Personally I think it’s bad practice to have a cert last more than a year in the first place, due to a number of both operational concerns and security concerns, but that is neither here nor there.
According to this http://blog.dob.sk/2014/07/23/firefox-31-self-signed-certifi... it's a 3+ month old bug in Firefox's certificate verification code. I used to be able to access my router's control panel in Firefox (and other sites with self-signed certs), and still can in other browsers (albeit after jumping through the usual hoops), the sites are not at fault here.
I'm just an average user that no one cares about, but if you dare read the comments on that blog, it seems this bug and the slow response to it pissed off a lot of corporate IT folk whose self-signed apps they borked.
No you don't. At least not even on old IE 11, and I can't imagine any other browser doing it worse (and I know Firefox). The browser is supposed to allow you to access the site my just confirming that you want. No root certificates.
Firefox uses its own certificate store, that's why it works on Windows XP. Chrome and Internet Explorer will likely not work, because they use Windows XP's certificates, which don't include trust for Let's Encrypt.
Another factor is that some browsers will automatically retrieve intermediate certificates that aren't supplied by the server. I'm not sure if it's still the case, but it used to be that Firefox would fail on HTTPS connections with a broken chain where IE would succeed.
I'm confused - Firefox and Chrome act completely identically to a self signed cert for me. Both let me click through after looking at the cert or expanding a section. I have never been "blocked" by some hidden modal unless the site chooses to be HSTS-enforcing, and in that case Firefox does not allow a clickthrough either.
Someone please correct me if I'm wrong, but I do think Firefox ships their own root certificates with their browser, while Chrome uses the system ones. It's possible fluidcruft's employer has installed new root certificates so they can analyze/inspect the traffic through their network and Chrome is happily rolling along, while Firefox does not like it because now the connection effectively has been broken.
Firefox needs to respect the OS certificate store instead of using its own. Without it client-cert authenticated sites cannot be accessed. IT admins usually have policies on Windows and MacOS that prevent export of client cert+priv key.
Can confirm here PayPal's Symantec Class 3 EV SSL CA - G3 signed certificate validates in Chrome 68 and 69 but returns NET::ERR_CERT_SYMANTEC_LEGACY on Chrome 70
Do you have a source for that? Google's KB articles still reference Chrome 70 [1], and I can't find another reference to this anywhere else.
Paypal.com is still operating with a Symantec signed cert - issued by "Symantec Class 3 EV SSL CA - G3". Works fine in Chrome 68. (and not in Firefox with the security.pki.distrust_ca_policy override set)
www.paypal.com returns a valid certificate. Chromium based browsers redirect to there. Firefox doesn't redirect there unless you first visit www.paypal.com. Once you have visited www.paypal.com in Firefox, paypal.com gets redirected there.
This is not my area of technical expertise so why things get redirected one way versus the other I don't know, this is just the behavior I have observed.
reply