Firefox does not trust some sites
Just to summarize why Firefox does not trust the https://www.clevery.co.jp/ online shop.
Apparently the server at https://www.clevery.co.jp/ only sends its own certificate when I open their page. What most sites usually do is that they send not only their own certificate, but also the certificate of their issuer, and the certificate of that issuer and so on up to the root certificate (excluding the last one). What is happening with the clevery server is that its certificate contains an extension that points to the location of the parent certificate. As given by OpenSSL
So, apparently Firefox doesn't follow that path and that seems to be a recognized standard. A quick Google found this article by someone who ran into the same problem and who has already checked the status of that extension.
I'll have to look more into it myself, but I am not in the mood right now.
Apparently the server at https://www.clevery.co.jp/ only sends its own certificate when I open their page. What most sites usually do is that they send not only their own certificate, but also the certificate of their issuer, and the certificate of that issuer and so on up to the root certificate (excluding the last one). What is happening with the clevery server is that its certificate contains an extension that points to the location of the parent certificate. As given by OpenSSL
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - URI:http://SVR1024Secure-aia.verisign.com/SVR1024Secure2007-aia.cer
So, apparently Firefox doesn't follow that path and that seems to be a recognized standard. A quick Google found this article by someone who ran into the same problem and who has already checked the status of that extension.
I'll have to look more into it myself, but I am not in the mood right now.
And here is the Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=245609
ReplyDeleteI knew I should have checked this myself. That extension is apparently not really a standard (or at least it is not something that MUST be followed).
Clevery fixed their site 3 weeks after I notified them. Not too bad. I would like to see how long it would take SeikatsuClub to fix their eClub site. Unfortunately their site doesn't work with anything but IE so it would be hard for me to explain why it should be fixed. I can imagine the conversation already.
ReplyDelete