Internet Explorer just doesn't care about security!

Summary

This is my experience of a bug that I thought was a Mozilla bug but it turned out that Internet Explorer just doesn't care about security.

Story

It all started when we, TDC Internet, just got a new SSL Server Certificate from a Certification Authority (CA) called certifkat.dk.

We installed the certificate on the server and suddenly Mozilla couldn't view anything on the site or even connect to the site. All you got when trying to view a web page on the server was Error -8102. Unable to go to site.

Then I tried using Internet Explorer and everything worked fine. Could Mozilla be wrong? Perhaps the certificate was in a format that Mozilla didn't support?

I tried using the official Mozilla releases instead of my nightly build, but I still got the same error.

I did some searching in Bugzilla and on Google and found that error -8102 was "Certificate key usage inadequate for attempted operation.". So perhaps the certificate contained a key, whatever that was, that only Internet Explorer knew about.

So I filed a bug in Bugzilla so that a Mozilla developer and all other Bugzilla users could help me in finding the solution to the problem. I also used IRC to get more information.

And the Mozilla Community is amazing. People quickly came up with SSL stack traces and debug information.

Conclusion

The problem lies in the certificate issued by the Certification Authority. The certificate uses an extension that indicates what the certificate can be used for. The CA accidentally hadn't set the SSL server extension so the certificate was not valid as a SSL server certificate.

Internet Explorer does not check this and just assumes that it's a valid SSL server certificate. Mozilla on the other hand checks this and correctly refuses to go to the site. The error message in Mozilla is not the best but that's it also being worked on. So it turns out that Internet Explorer just don't care about security. Mozilla cares about security and therefore checks the certificate to see if it is valid to be a SSL server certificate. Another win for Mozilla!

References

Bug 193991
My original bug report which later became a duplicate of bug 142280

Bug 143280
A bug report which describes the same problem that I had. It's marked wontfix since the problem isn't a Mozilla bug.


March 03, 2003 01:04 PM | Posted in Mozilla

Ads:

Back Next

2 Comments

Thanks for detailing this problem, we just encountered a similar error and the description was most helpful... especially as the error message doesn't appear to have been enhanced any in the meantime (more than a year).

Comment by Mike at March 12, 2004 08:51 PM | Permalink

Who may know how to generate a certificate to avoid this problem?

Comment by Theodor at October 20, 2005 02:05 PM | Permalink

Post a comment




Remember Me?




Please enter the security code you see here

.
You're here: Home - Internet Explorer just doesn't care about security!
Get the Mozilla Firefox browser