flatpak.github.io
flatpak.github.io copied to clipboard
flatpak
SSL certificate with incorrect domain used for https://www.flatpak.org URL
Summary
If rather than https://flatpak.org, a user visits https://www.flatpack.org, an SSL cert for *.apps.openshift.gnome.org will be used rather than the expected flatpak.org domain.
I tried a few variants and included a quick breakdown of valid vs. invalid certificates by URL.
- As far as I can tell, errors occur with all
https://www.variants. - Additionally, errors occur at
https://flatpak.org/, but only for that specific URL with a slash at the end. - Aside from the above,
https://flatpak.organd all its subpages appear to use the correct certificate.
I also included a full breakdown of the URLs i tried below the screenshots in the details.
Details
I stumbled on this accidentally while clicking a link to https://www.flatpak.org from documentation elsewhere:
Inspecting the certificate shows a wildcard cert of *.apps.openshift.gnome.org
Full breakdown
- ✅ https://flatpak.org - Correct cert for the
flatpak.orgdomain. - ❌ https://flatpak.org/ - wildcard openshift cert. Note: Your browser may strip the slash off the end of the URL when you click the link, but manually entering it into the address bar cause the issue.
- ❌ https://www.flatpak.org - wildcard openshift cert
- ❌ https://www.flatpak.org/ - wildcard openshift cert
Given the case with the / at the end of the domain, I also checked a few URLs in addition the base URL:
- ✅ https://flatpak.org/about (redirects to
/about/) - ✅ https://flatpak.org/about/
- ❌ https://www.flatpak.org/about/
- ✅ https://flatpak.org/setup (redirects to
/setup/) - ✅ https://flatpak.org/setup/
- ❌ https://www.flatpak.org/setup/
- ✅ https://flatpak.org/setup/Manjaro
- ✅ https://flatpak.org/setup/Manjaro/ (redirects to
/setup/Manjaro) - ❌ https://www.flatpak.org/setup/Manjaro
I can confirm this issue. Some of the pages indeed seem to use a certificate for *.apps.openshift.gnome.org. Probably a CDN issue?
/cc @barthalion
