Closed Bug 321596 Opened 19 years ago Closed 19 years ago

Strange effect in HTTPS site verification

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: hadmut, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5

Hi,

when accessing 
https://downloads.checkpoint.com/dc/login.htm
firefox 1.5 (and the previous versions) use SSL and display the URL with a yellow background, but show the lock symbol with a red bar (while e.g. konquerer shows the lock symbol in the usual way). 

If this is not a bug, then there is something wrong with the web page, which causes firefox to not accept it. Pretty good if firefox does additional tests.
But I could not figure out why firefox is not accepting the site. If there is something wrong with the site, then firefox should give details about, otherwise it is pointless. 

When I check the security tag of the page info dialog, it says

  "...The identity of this web site has been verified by 
   Verisign, Inc...."

So what's wrong then? Why does the browser show that there's something wrong, while the page info says it's signed properly?

The only hint I could see is that the page info says that the connection is "Partially encrypted: Parts of the page were not encrypted before being transmitted over the Internet."

What exactly does this mean? Are there unencrypted graphic elements? Frames? Includes? Styles? And if so, is this the reason for the negative lock symbol? It is pretty difficult to figure out what firefox is complaining about.  

 

Reproducible: Always

Steps to Reproduce:
1. Get https://downloads.checkpoint.com/dc/login.htm
2. View the security symbols in the URL bar and the status line at the browser window bottom
3. Compare with the info on the security tab of the page info dialog.
Partially encrypted means that some parts of the page are loaded from unencrypted http: addresses instead of SSL encrypted https: addresses. In such cases, it is possible that some information might leak out when you submit the page and be visible to someone sniffing the network.

I think this is invalid and not security sensitive. dveditz, leaving it to you to open it up.

The slashed lock means "mixed" content. If you think all the content is served over SSL and the mixed icon is in error then that would be a bug, but would not need to be a confidential one.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.