262689 - lock icon and certificates spoofable with "view-source:"

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[u115577]

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

I found a security issue with "view-source:".

When I viewed the source of a secure site in the browser window (e.g.
"view-source:https://bugzilla.mozilla.org/" with a bookmarklet instead of
Ctrl+U), the lock icon and certificates were kept in the location bar. 

So I thought this bug can be used for the certificate spoofing.
I wrote simple testcase based on Bug 253121.

Reproducible: Always
Steps to Reproduce:
1. Load testcase
2. Right click page -> View Page Info, go to security tab
3. Notice that the site (mozilla.org) appears to be secure, 
   and the certificate from https://www.paypal.com/ is shown

Comment 1

[u115577]

Attachment: Testcase

Comment 2

[u115577]

Source of testcase:

<html>
<head>
<meta http-equiv="refresh" content="0;url=view-source:https://www.paypal.com/">
</head>
<body onunload="window.location.replace('http://www.mozilla.org/');"></body>
</html>

Comment 3

[u115577]

Site name with lock icon on status bar (Firefox) is also spoofable.

[1] http://www.aaa.com/
     |
 (redirect) <= certificate of [2] https://www.bbb.com/
     | 
[3] http://www.ccc.com/

In this case, site name on status bar will be "www.aaa.com".
But if [3] is http://www.aaa.com/ddd/, it is easier to lead users to believe
that "www.aaa.com" is secure.

Once the certificate is issued, browser (tab) keeps it after that.

Comment 4

[Daniel Veditz [:dveditz]]

->Johnny who fixed similar bug 253121
Confirming in both Firefox and Mozilla Suite.

Probably should block Aviary; presuming so, chofmann can clear if he disagrees.

Comment 5

[u115577]

Bookmarklet I used:

  javascript: location.href = 'view-source:' + location.href;

Save on Bookmarks Toolbar, go to secure (https:) site, and just click it.
"view-source:" urls seem to bypass security checks :-(

Comment 6

[Johnny Stenback (:jst)]

Attachment: Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

Comment 7

[Christopher Aillon (sabbatical, not receiving bugmail)]

Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

This makes sense, and if jst has tested it, all the better.  The old code was
bad, and this is a good change nonetheless.  r=caillon

Comment 8

[Daniel Veditz [:dveditz]]

Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

sr=dveditz

Comment 9

[Asa Dotzler [:asa]]

Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

a=asa for branches checkins.

Comment 10

[Johnny Stenback (:jst)]

Fixed on trunk and branches.

Comment 11

[u115577]

I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
But location bar was still yellow when I opened the following link
view-source:https://bugzilla.mozilla.org/

Of course bookmarklet (see comment 5) produced the same result.

Is this ok?

Comment 12

[Johnny Stenback (:jst)]

(In reply to comment #11)
> I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
> But location bar was still yellow when I opened the following link
> view-source:https://bugzilla.mozilla.org/
> 
> Of course bookmarklet (see comment 5) produced the same result.
> 
> Is this ok?

Yes, that's fine as long as the certs used are from the right host
(bugzilla.mozilla.org in this case) and not from any other site.

Comment 13

[Daniel Veditz [:dveditz]]

Security Advisories published, clearing confidential flag