Closed Bug 121361 Opened 23 years ago Closed 23 years ago

Navigator: Untrustable security information due to incomplete navigator tab support

Categories

(Core Graveyard :: Security: UI, defect, P4)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 101723
Milestone:
psm2.2

People

(Reporter: dolmen, Assigned: ssaux)

Details

(Keywords: privacy) 

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.7) Gecko/20011221
BuildID:    2001122106

In Mozilla 0.9.7 you can not trust security information when using navigator
tabs due to incomplete support of navigator tabs:
- in the security tab in page info
- the "secure/insecure" icon of the Navigator status bar always displays the
status the first Navigator tab instead of the current tab as expected.
- when clicking on the "secure/unsecure" icon, the Page Info of the first tab is
shown instead of the Page Info of the current tab as expected.

This is a major security problem.

This bug is for tracking the general issue.
I will create two bugs (see dependencies) for tracking :
- the Page Info/security tab
- the "secure/insecure" icon

This is a GUI problem that will probably only require XUL fixes.




Reproducible: Always
Steps to Reproduce:
- New navigator window: http://slashdot.org/
- New navigator tab: https://agia.fsf.org/ (note that it is HTTP over SSL).
Check the Accept the certificate (the bug is not related to that).
From now, all the tests are when the FSF page is displayed.
Problem : the "secure/insecure" icon of the status bar is shown as insecure
(unlocked). It should be "secure".
- Right-click the page, "Page Info", "Security" tab.
Problem : the lower part of the tab says "Connection Not Encrypted. The web site
slashdot.org does not support encryption..." This is wrong as the information
should refer to the FSF page. The other tabs of the Page Info window correctly
referer to the FSF page.
- Click the "secure/insecure" icon of the status bar.
Problem: all tabs of the "Page Info" window show information about the first
Navigator tab (slashdot). They should show information about the FSF page.


Do the other way, now.
- New navigator window: https://agia.fsf.org/ 
- New navigator tab: http://slashdot.org/
From now all the test are done when the Slashdot page is displayed.
Problem : the "secure/insecure" icon of the status bar is shown as secure
(locked). It should be "insecure" as Slashdot is not https.
- Right-click the page, "Page Info", "Security" tab.
Problem : the top part says "Web Site Identity Verified. The web site
slashdot.org support authentification for the page you are viewing. The identity
of this web site has been verified by Free Software Foundation, a certificate
authority you trust for this purpose." It should says that the web site identity
was not verified. However it seems to refer to the FSF page but with the Slahdot
host inserted. Big confusion!
Problem : the lower part says "Connection Encrypted: High grade encryption (RC4
128bit) . The page you are viewing was encrypted before being tranmitted over
the Internet."
It should says that the connection is not encrypted.
The other tabs are ok.
- Click the "secure/insecure" icon of the status bar.
Problem: all tabs of the "Page Info" window show information about the first
Navigator tab (slashdot). They should show information about the FSF page.
- Swith to the first tab (with the FSF page)
- Close the tab (with the close icon). The slashdot page is now the only page in
this window.
- Right-click the page, "Page Info", "Security" tab.
Problem : the top part still says "Web Site Identity Verified. The web site
slashdot.org support authentification for the page you are viewing. The identity
of this web site has been verified by Free Software Foundation, a certificate
authority you trust for this purpose."
We are in a case where the security tab show information about a site that is
not even shown anywhere!

I also verified the bug with other sites than slashdot.org/agia.fsf.org.
Depends on: 101723
I found the bug 101723 that already deals about the "lock" icon.
I created the bug 121362 to track the "Page Info"/"Security Tab" problem.
Added the 'privacy' keyword as in bug 101723.
Depends on: 121362
Keywords: privacy
Status: UNCONFIRMED → NEW
Depends on: 120043
No longer depends on: 121362
Ever confirmed: true
->PSM.

Reporter, what is a "navigator tab?" Do you mean a sidebar panel? Or a frame?
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: other → 2.2
This is tabbed browsing.

All issues of this bug are covered by other bugs.

Marking is dupe of 101723.

The bottom line is that if you're concerned about security, you shouldn't used
tabbed browsing.



*** This bug has been marked as a duplicate of 101723 ***
Status: NEW → RESOLVED
Closed: 23 years ago
No longer depends on: 101723, 120043
Priority: -- → P4
Resolution: --- → DUPLICATE
Target Milestone: --- → 2.2
Mitchell: a navigator tab is what you get with menu File/New/Navigator Tab in
Navigator (or Ctrl+T)
Verified dupe.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.2 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.