RESOLVED INVALID 10655
No security warning given to user when SSL cert. problem changes during session (warning does occur in IE and Firefox) 
https://bugs.webkit.org/show_bug.cgi?id=10655
Summary No security warning given to user when SSL cert. problem changes during sessi...
opendarwinbugzilla06
Reported 2006-08-31 05:26:18 PDT
In order to reproduce this bug you must have two SSL certs which are, for one reason or another, invalid for the web server you are connecting to (host name mis-match, signed by an un-trusted root, etc.,) and you must be able to reconfigure the web server during the session. I tested this problem by loading a certificate on a web server that wasn't signed by a trusted authority. I connected to the web site and received the normal warning from Safari, and clicked 'Continue.' I also went to the website using Internet Explorer and Firefox 1.5 and accepted the security warning given. I then went to the web server and changed the certificate to one that was signed by a trusted authority, but had a domain name mismatch with the site I was connecting to. When I went back to the same SSL site in Firefox or Internet Explorer I was given a warning about the new invalid state of the SSL certificate and was given an opporunity to review the new certificate that was being used. Safari switched to the new problem certificate without any warning.
Attachments
Add attachment proposed patch, testcase, etc.
Maciej Stachowiak
Comment 1 2007-01-29 03:48:12 PST
<rdar://problem/4960642>
Maciej Stachowiak
Comment 2 2007-02-07 04:46:12 PST
This really involves bugs in the Safari app and in the networking layer below, WebKit is not involved here.
David Kilzer (:ddkilzer)
Comment 3 2007-02-07 04:51:43 PST
(In reply to comment #2) > This really involves bugs in the Safari app and in the networking layer below, > WebKit is not involved here. Comment #2 means that an internal Apple bug report has been filed for this issue, and will be worked internally. This bug was closed because it can't be fixed in the open source WebKit project.
Note You need to log in before you can comment on or make changes to this bug.