16 posts categorized "browsers"


SSL Certificate Warning of the Month: The Aquarium

In support of the recent 3.1 launch of GlassFish open source and commercial versions, The Aquarium is featuring a nice Download GlassFish 3.1 Final badge in the top right hand corner that, unfortunately, generates SSL warnings.  I'm preserving the target in the Download link in this article because I believe that the error will be corrected soon but people might be interested in seeing what was originally returned.  

The error is a simple Hostname Mismatch warning but with the rapid rate of change in most browsers, it's always interesting to me to see how browsers handle these types of warnings.

If there were a prize for 'prettiest error message', Safari would win:


Google Chrome provides similar information to what Safari provides but wraps it all up in an angry red:


Interestingly, from my standpoint as a web site administrator standpoint, Firefox wins here in that it is providing the most useful information:


All three browsers are good in that they pop up a warning that the hostname of the site does not match the common name on the certificate but Firefox goes the extra mile by showing *ALL* the valid hosts for this certificate.  Safari and Chrome display that the site name (glassfish.dev.java.net) does not match the certificate name (www.java.net) but this type of certificate is valid for more than just www.java.net.


Browsers: Is SSL Really Working?

Every time I think I have a fairly good understanding of how SSL works, something weird comes along to knock that understanding back a few notches.  Case in point:  Certificate Chains.  IBM has a nice, short article called "How Certificate Chains Work" that describes what they are so I'm linking to that in order to save some space for this post.  

With almost any type of certificate one purchases from Verisign today, and I use Verisign as an example because I am a Verisign certificate user, two intermediate certificates sit between the root certificate and the server certificate: a Primary Intermediate and a Secondary Intermediate.  The Primary Intermediate is the same regardless of the type of server certificate that was purchased.  The Secondary Intermediate varies according to the type of server certificate purchased.  If you purchased one of their SecureSite with EV certificates, the secondary intermediate is different from the one that is issued along with their SecureSite certificates but the Primary Intermediate is the same. 

Browsers have a feature in that they, I thought, displayed the full certificate chain, also known as the certification path.  They would display the certificate hierarchy, so you can see the root, the intermediate(s) and the server cert.  Problem is, they seem to have stopped doing this.  Take Safari 5, which is displaying the certification path for the Extended Validation cert securing www.verisign,com:

Safari 5 shows the Primary Intermediate as if it is the root certificate, followed by the secondary intermediate, followed by the server cert.  What's missing is the actual root cert as this is supposed to be a 4 way chain.  

Firefox 3.6.13 exhibits the same behavior.  Before you think, "Oh, this must be a Mac thing...", Firefox 3.6.13 running on Ubuntu 10.10 shows the same thing, too.  So then I thought, well, maybe this is what is supposed to happen but two peculiar additional discoveries are the cause of my confusion.

Safari 3 shows the full certification path:

I found in my System Roots keychain that Apple has imported the Class 3 Public Primary Certification Authority - G5 cert, (the Primary Intermediate).  Perhaps that is why it is displaying a 4 way chain as a 3 way chain?  Well, that's what me and a buddy thought before connecting to one of my sites secured with a non EV cert but still utilizing the same 4-way chain.  In that case, all four certs in the certification path are displayed in Safari 5 (portions of the image redacted to protect the innocent):

So...what's going on browser makers?  I'm assuming that there is a bug somewhere but where??  Is my understanding of how this should be working the bug?  





Safari 5 Is Out

Apple released Safari 5 today for Windows and OS X.  Get it at the download page.  The What's New page lists all the new features (that were still not cool enough to get a mention during today's WWDC keynote) but some of them include:

  • Safari Reader - This looks like Apple's answer to ad-blocking while simultaneously providing something that will make the bloggers all upset.  Implemented as a toolbar button, once clicked, all sidebars will be dimmed and an on-screen display will pop up offering print, email, and font size control options.  Presumably, Safari Reader will work best with the new html5 article tag.
  • HTML 5 - Safari 5 is adding more HTML 5 support including Full Screen views and closed captioning. 
  • Faster - Performance improvements to the Nitro JavaScript engine and DNS Prefetching hopes to make things snappier.
  • Plugins/Extensions - Safari now adds supports for third-party developed extensions.  The new, free Safari Developer Program provides technical resources, a code signing facility, and developer forums.