Closed
Bug 418040
Opened 16 years ago
Closed 16 years ago
site loses verified identity after redirect
Categories
(Core Graveyard :: Security: UI, defect)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: info, Assigned: KaiE)
References
()
Details
(Keywords: relnote)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021607 Minefield/3.0b4pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021607 Minefield/3.0b4pre In the explanation of Extended Validation (EV) SSL certificates in the release notes for FF3b3, The _Try it here!_ link goes to https://www.britishairways.com/ This is indeed green with more information, but after it redirects to https://www.britishairways.com/travel/home/public/en_us , the green certificate goes away. Reproducible: Always Steps to Reproduce: 1. Go to https://www.britishairways.com/ 2. Wait until it redirects Actual Results: The initial URL has the green section and clicking its "favicon" displays more info about britishairways.com. But when it redirects I get a white URL, and "you are connected to an unverified site". This happens even though for me, the redirect is to https://www.britishairways.com/travel/home/public/en_us , on the same apparent site. If I paste the new URL into the location bar, it appears green with verification. Expected Results: The green verified state shouldn't be lost. It could be just a quirk of britishairways.com, I haven't found a similar situation on another secure site to try. (FWIW charlesschwab.com's redirect for error pages doesn't lose its "green-ness".)
Comment 1•16 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021722 Minefield/3.0b4pre ID:2008021722 I see this too, but I see it with Opera 9.26 as well.
Version: unspecified → Trunk
Comment 2•16 years ago
|
||
Moving to Core->Security:UI since it sounds to me like the UI is responding to PSM signals that the site is, and then isn't, securely identified. This bug MAY be INVALID, if PSM is doing this deliberately because britishairways is redirecting through an http link. I'm not actually clear on the policy stance that PSM takes here, but I know Opera treats an https->http->https redirect as insecure, since that http link could have been tampered with. Still, in this case it seems a little odd - if the top-level document at the end of the whole chain was served in an EV way, it feels like we can confidently assert its EV status. On the other hand, it might not be the EV page they *wanted* to go to, since an attacker could reroute the http step to a site under their control with an EV cert. All of this is conjecture though, moving to the component where the answers are. :)
Assignee: nobody → kengert
Component: Location Bar and Autocomplete → Security: UI
OS: Windows XP → All
Product: Firefox → Core
QA Contact: location.bar → ui
Hardware: PC → All
Assignee | ||
Comment 3•16 years ago
|
||
I don't get an automatic redirect. I start and go to https://www.britishairways.com/ shows green Then I manually go to https://www.britishairways.com/travel/home/public/en_us This brings me to a site with "mixed content", refer to the red icon in the lower right corner. You don't get green, because of the mixed content. I can see a script being loaded from plain http. I think this bug is invalid. Please reopen if you see something else.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Kai, I probably get redirected because I have BA_COUNTRY_CHOICE_COOKIE set (to "US"). Thanks for explaining why the U.S. landing page isn't green. Since quite a few FF3 users will get redirected, the release notes (currently http://en.www.mozilla.com/en/firefox/3.0b3/releasenotes/) should use a different URL than https://www.britishairways.com/ as the "Try it here!" example for "the site favicon button will turn green and show the name of the company you're connected to". I filed bug 419151 for that bug, I agree this one is RESOLVED INVALID.
Assignee | ||
Comment 5•16 years ago
|
||
Mike, this bug proposes the Firefox release notes shall not point to britishairways as an EV example site.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•