Hi.
Firefox rises a certificate error for third level domains (typically www.site.com) when the certificate is issued to site.com, whereas others browsers (Chrome, Edge) assume it is ok.
Is this a choice due to some exploitable scenario, or is it simply a missing regexp check?
Thanks
That’s expected behavior. Firefox is stricter with SSL rules — a cert for site. comdoesn’t cover www.site. com unless it’s listed in the SAN or you use a wildcard (*.site. com). Chrome and Edge are a bit more lenient, but Firefox is following the spec.
One more thing I forgot to mention: this isn’t really a “Firefox quirk,” it’s more that Chrome/Edge sometimes try to be helpful by accepting borderline cases. From a proper TLS point of view, the certificate has to explicitly match the exact hostname, otherwise it’s technically invalid. 