Vivaldi saves invalid SSL certificate without file extension
-
Let's say I want to save an invalid SSL certificate, For example https://support.mellanox.com belongs to NVIDIA who acquired Mallox, a data center networking gear company. They paid almost $7 billion but apparently don't have enough funds to keep renewing the site's certificate. But you don't have to click, it looks like this:
To save the cert I click the exclamation mark > Certificate is not valid > Details > Export, and I get the Save As window:
Clicking Save should save the file with either .pem or .crt extension. On Windows, only .crt is natively supported and should be used by default. But it's not:
I am not qualified to say whether this could be exploited but saving anything .com just like that is not good. I came across this by accident while saving the expired NVIDIA cert to share it with someone in the security field.
I tried saving the valid certificate for https://forum.vivaldi.net for comparison. The steps are a bit different but it automatically appends .crt and saves correctly.
In the end it occured to me to try it with Chrome and it does save the .com too!
But Edge does not. So even if it's originally in the upstream code, maybe that should not be an automatic reason to ignore it.--
ModEdit: Fixed URL -
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
But Edge does not.
Microsoft Edge developers have their own idea what to patch or not.
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
So even if it's originally in the upstream code, maybe that should not be an automatic reason to ignore it.
Yes.
-
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
If I go to that site I get:
ERR_SSL_UNRECOGNIZED_NAME_ALERT
So possibly something is cached in your browser from allowing it earlier.If I go to https://expired.badssl.com and do an export I get the below. But I get this in all browsers, including Edge:
The workaround is simply to select the correct type from the dropdown and it will change to that file extension.
¨
Or, just rename the file after download to .cer/.crt/.pem whatever you want.
I am not qualified to say whether this could be exploited but saving anything .com just like that is not good.
.comis an old MSDOS executable format. Windows will simply refuse to run such a file - and it's not an executable in any case.Saving of expired/invalid certificates is not something regular users are expected to do, it seems to behave the same in all Chromium browsers, and the workaround is simple, so I don't really see any case for anything here.
🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@Pathduck @codematters I can confirm Vivaldi does not add the .crt file type ending to file name.
Looks like a Chromium core bug to be fixed by upstream. -
@codematters I am not sure, but those dialogs looks like standard Windows File Dialogs, not Chromium (or Vivaldi dialogs).
So, as far as Edge "getting it right"; think about who the Edge Browser vendor is. They know all the secrets of those dialogs.
And as @Pathduck says, exporting certs is not something an average user needs to do, or should. (BTW: you could not fix the certificate anyway, the whole point about them is that if modified they become unusable.)
This is something that you should report to the web site admins. (They might also want to actually read their email, since they should have started getting more and more urgent reminder emails from the issuer 3 months ago.
And AFAICT the server is offline at present, even a SSL test site was not able to connect to the server. Which suggest that have become aware of the situation and are trying to fix it.
-
@codematters The webserver of Mellanox Support is completely broken and does not handle SSL connectiosn at this time, using a saved certificate does not help you.
Now
support.mallox.comis for sale at GoDaddy. -
@Pathduck said in Vivaldi saves invalid SSL certificate without file extension:
If I go to https://expired.badssl.com and do an export I get the below. But I get this in all browsers, including Edge:
I missed the little certificate icon at the top on Edge. I stand corrected.
Saving of expired/invalid certificates is not something regular users are expected to do, it seems to behave the same in all Chromium browsers, and the workaround is simple, so I don't really see any case for anything here.
Valid certificates append the file extension to the file name. Someone saw the case to do it in that scenario. Hopefully there won't be any .exe TLDs out there, but every properly written application will always save a file with an extension in Windows. If you try to save a file and don't give it an extention in Notepad for example, it will append .txt by default.
@Pathduck said in Vivaldi saves invalid SSL certificate without file extension:
Saving of expired/invalid certificates is not something regular users are expected to do, it seems to behave the same in all Chromium browsers, and the workaround is simple, so I don't really see any case for anything here.
@yngve said in Vivaldi saves invalid SSL certificate without file extension:
@codematters I am not sure, but those dialogs looks like standard Windows File Dialogs, not Chromium (or Vivaldi dialogs).
If I try to save this very Page in Vivaldi, the "standard Windows File Dialog" says "Vivaldi saves invalid SSL certificate without file extension _ Vivaldi Forum.html" not "Vivaldi saves invalid SSL certificate without file extension _ Vivaldi Forum"
The workaround is simple and it looks like a standard Windows File Dialog, yet someone went out of their way to make sure the .html is there.
Why try so hard to be an apologist over something that is bad practice at best.
Why is the default position to dismiss issues out of hand because other browsers are faulty too?
If the aim of the Vivaldi browser and community isn't to have a better browser, why bother at all? Let's all use Chrome, no?
-
@codematters That is a Windows issue, not a Vivaldi issue, on Linux you get the file ending .pem for a Base64 encoded cert file
If you think this is a Vivaldi bug, please report issue to Vivaldi bug tracker. Once that is done, share the bug number (beginning with VB-) you got by bug report mail.
Thanks for helping us making Vivaldi better._bug hunter · Volunteer helper · Sopranos tester · Language DE,EN · ♀👩🦳
Known old dragon lady: Gwen aka Dr. Gwen Agon aka GwenDragon aka DoctorGTesting
Linux Debian 12 KDE X11 / Windows 11 Pro
Intel i5-7400 / NVidia GT 710 -
@DoctorG said in Vivaldi saves invalid SSL certificate without file extension:
@codematters That is a Windows issue, not a Vivaldi issue, on Linux you get the file ending .crt
So there is a special Windows file dialog for saving invalid .pem and .crt files in 3rd party Web Browsers and Microsoft forgot to append the extension?
We must forward this to the Windows team ASAP
-
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
We must forward this to the Windows team ASAP
(ノಥ益ಥ)ノ彡┻━┻
&
¯\_(ツ)_/¯
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
So there is a special Windows file dialog
Do you really want to hurt me, do you really want to make me cry!???? -
Saving a certificate is a special task for experienced users with knowledge.
But… OMG! If you are not able to check a file, then you are lost in WWW.This Windows crap detecting file content by filename ending is a MSDOS nonsense.
And you want to follow it. Good. Windows is always a box of maggots._bug hunter · Volunteer helper · Sopranos tester · Language DE,EN · ♀👩🦳
Known old dragon lady: Gwen aka Dr. Gwen Agon aka GwenDragon aka DoctorGTesting
Linux Debian 12 KDE X11 / Windows 11 Pro
Intel i5-7400 / NVidia GT 710 -
@DoctorG said in Vivaldi saves invalid SSL certificate without file extension:
If you think this is a Vivaldi bug, please report issue to Vivaldi bug tracker. Once that is done, share the bug number (beginning with VB-) you got by bug report mail.
Thanks for helping us making Vivaldi better.Thank you, will do.
-
@DoctorG said in Vivaldi saves invalid SSL certificate without file extension:
Saving a certificate is a special task for experienced users with knowledge.
But… OMG! If you are not able to check a file, then you are lost in WWW.This Windows crap detecting file content by filename ending is a MSDOS nonsense.
And you want to follow it. Good. Windows is always a box of maggots.Let's embed an automatic OS wipe and Linux install in the next Vivaldi setup. We'll be doing the world a favour.
-
@codematters Sad that you need to run Windows with its problems. I feel for you.
Just wait for the first dataloss because of Windows DPAPI encryption and Chromium core login database got broken, it is much fun to restore encrypted data.
_bug hunter · Volunteer helper · Sopranos tester · Language DE,EN · ♀👩🦳
Known old dragon lady: Gwen aka Dr. Gwen Agon aka GwenDragon aka DoctorGTesting
Linux Debian 12 KDE X11 / Windows 11 Pro
Intel i5-7400 / NVidia GT 710 -
@DoctorG Bug filed under Key: VB-109597
Thanks again.
-
@codematters VB-109597 "Vivaldi saves invalid SSL certificate without file extension" – Confirmed, no developer assigned.
-
@DoctorG said in Vivaldi saves invalid SSL certificate without file extension:
@codematters Sad that you need to run Windows with its problems. I feel for you.
Just wait for the first dataloss because of Windows DPAPI encryption and Chromium core login database got broken, it is much fun to restore encrypted data.Good news. There is hope for me yet.
I am starting to choose parts for my next computer, and it will run Linux!
I won't be able to get rid of Windows entirely, but at least I'll keep it in an often backuped VM. I feel a renewed sense of urgency before DPAPI catches up to me, that perv.
-
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
Bug filed under Key: VB-109597
Thanks.
Thanks again.
You are welcome.
-
@codematters said in Vivaldi saves invalid SSL certificate without file extension:
The workaround is simple and it looks like a standard Windows File Dialog, yet someone went out of their way to make sure the .html is there.
That would have been the Chromium devs, and since the name of the saved HTML file is the title of the page, there is a lot of processing to make it safe for the OS, including adding a HTML extension.
As for the certificate export (which is something only very advanced users should do, especially since it normally is only useful for advanced investigations), that follows a completely different code path, and the suggested name is the certificate's site name (perhaps unless it is one with a different common name), and that is passed to the System Windows File Open/Save dialog, which is supposed to add one of the extensions from the list of extensions used by the content type if one of them isn't already used.
Unfortunately, it looks like Microsoft in their Eternal Wisdom(TM) decided that if there is a ".com" in the suggested file name, then that is what the file is, no need to do any more processing, if it is e.g. a ".net" suffix, then add one of the extensions. The Edge devs probably knew this (again, remember where they work), and added a local patch that they did not upstream to the Chromium team.
As this is something that also happens in current Google Chrome, and is probably a general occurrence in most Chromium-based browsers, I suggest you file a report to the Chromium team instead.
-
And bug reported to Chromium: 367439557 "Export of certificate does not add correct filename ending in file dialog"
