Mozilla Foundation Security Advisory 2014-45

Incorrect IDNA domain name matching for wildcard certificates

Announced

April 29, 2014

Reporter

Christian Heimes

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 29
SeaMonkey 2.26

Description

Security researcher Christian Heimes reported that the Network Security Services (NSS) library does not handle IDNA domain prefixes according to RFC 6125 for wildcard certificates. This leads to improper wildcard matching of domains when they should not be matched in compliance with the specification. This issue was fixed in NSS version 3.16.

References

Hostname matching code violates RFC 6125 for IDNA (CVE-2014-1492)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2014-45

Incorrect IDNA domain name matching for wildcard certificates

Description

References