I have one doubt regarding process of server SSL certificate's verification by the web browser (like Firefox/Chrome).
I read a lot about mechanisms which minimize the risk of application of misissued CA/intermediate CA certificates (i.e. hacked CA or mistakenly issued certificates to entities who actually shouldn't receive them) by attackers/hackers, such as HPKP HTTP header or Certificate Transparency Log.
According to explanations I read, pottential attacker could present this wrongly issued certificate to impersonate end server and hijack content from a request sender which is expected to be encrypted.
But how is it possible? What is the mechanism of verification of certificate by the browser?
When I used programming libraries to execeute requests to APIs over HTTPS, there was an option turned on by default to compare "Subject" field in the certificate with the URL I passed to query the service. If comparison failed, communication has been broken. This setting can be bypassed (in Apache HTTP it is called NoopHostnameVerifier). If I understand well, this functionality causes, that if i posess domain for example "blablabla.com" and present misissued certificate for the domaind "xyxyxy.xom" with valid signature of the CA, Http Client will block the connection due to the mismatch of Subject in certificate with requested URL.
How it works in browsers? Does the browser do the comparison between Subject in x509 certificate and URL in address bar? If no, why browsers don't do this comparison? If yes, do the browsers block this request? or just render some warning?
In other words: is correctly verified signature of the CA the only condition to acknowledge certificate and whole server's response with certificate as valid ? mismatch between "Subject" field in X509 and URL address bar is neglected by the browser in this case?
Browsers do a very extensive check before accepting server certificate, including chain validation, name comparison, etc. Here is a relevant thread which answers your question: https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity