Open Bug 444973 Opened 16 years ago Updated 2 years ago

No warning message when redirected from HTTPS to HTTP for file download

Categories

(Toolkit :: Downloads API, defect)

defect

Tracking

()

People

(Reporter: mozbugssteve, Unassigned)

References

(Depends on 1 open bug, )

Details

(Keywords: sec-want, Whiteboard: [sg:want P5][psm-padlock])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15

The option for warn me when:
"I leave an encrypted page for an unencrypted one." is enabled.

However when I right click -> hit save as (or even just install an extension) I /should/ receive a warning telling me that I am being moved to an unencrypted page. However no warning is made.

This is not site specific.

Reproducible: Always

Steps to Reproduce:
0. Make sure "I leave an encrypted page for an unencrypted one." is enabled.
1. Go to a website that redirects a download from HTTPS to HTTP. (an example is listed in the details section)
2. Right click, save as.. or just download.
3. Notice that no warning is given.
Actual Results:  
No warning was given.

Expected Results:  
A warning telling me that "I'm leave an encrypted page for an unencrypted one.".
This doesn't need to be private.
Group: security
Summary: No warning message when changing from HTTPS to HTTP via download. → No warning message when redirected from HTTPS to HTTP for file download
Whiteboard: [sg:want P5]
Component: Security → Download Manager
QA Contact: firefox → download.manager
Product: Firefox → Toolkit
Kai, Johnath: what should our security UI be for this case? If you're doing a "save as" you're not exactly leaving the secure page, but the reporter has a point that absent the warning some people might assume all the content was secure.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #2)
> Kai, Johnath: what should our security UI be for this case? If you're doing a
> "save as" you're not exactly leaving the secure page, but the reporter has a
> point that absent the warning some people might assume all the content was
> secure.

We're getting into edge-case land here, but I think I would have expected the existing "here comes http" dialog to hook in to downloads as well.  I don't think most users understand that dialog or can make effective, different decisions with the information it presents, but I do think that people who opt-in, who turn on that pref, have a reasonable expectation that it would apply here too.  A patch would be welcome, I think.
The current behavior is, only show those warning messages when the state of the window changes.

We need a new code path that detects the download originated from secure, bring up the insecure warning, but don't change the security state of the originating window.

(In the past we had more naive logic that would change the window state to insecure, if such downloads were initiated, which was not desirable either.)

Also, I wonder if a special, new wording should be used for warning about the insecure-download-from-secure-page.

Also, what should happen if such a download is handled by some in-place content handler, like acrobat reader on windows? (a manual test for old and potential future code)
the edge cases get worse. in theory the user can have 0 browser windows floating around.

so you can't use an infobar on the original window (it can go away before you reach this point), nor any other "clever" state related tricks. if you're using the download manager, you probably don't have any visible ui available.

Originally I wrote:
I think the best thing to do is to make sure the file isn't executable, make sure it is domain bound, and when the download *completes* toss up a slightly different completion notifier:

+--------------------------------------------+
|    ----     The downloaded file was not    |
|   /    \    delivered securely, it could   |
|  | STOP |   have been infected or replaced |
|   \    /    in transit.                    |
|    ----                                    |
|             [Show] File: ...\installer.exe |
|                                            |
| Origin: http://site.com/get/installer.exe. |
|                                            |
|             [ Delete File ] [   Ignore   ] |
|____________________________________________|

Of course, such a dialog only helps the user if the file was replaced. If the file has confidential data, then such a dialog is too late, as it may have been stolen.

+--------------------------------------------+
|    ----     You requested a file from a    |
|   /    \    trusted source, however the    |
|  | STOP |   source has indicated that the  |
|   \    /    file is available from another |
|    ----     location which is not secure.  |
|                                            |
| If the file has confidential information,  |
| then it is possible that someone else will |
| be able to store a copy of the file while  |
| it is downloaded.                          |
|                                            |
| In any case, it is possible that the file  |
| that is retrieved will be infected or      |
| otherwise tampered with in transit.        |
|                                            |
| Origin: https://site.com/go/installer.exe  |
| Link:  http://something.com/installer.exe  |
|                                            |
| [ Help ]    [ Save anyway ] [   Cancel   ] |
|____________________________________________|

And yes, I'm well aware of just how much text this has. I really can't think of any way to condense it.
Whiteboard: [sg:want P5] → [sg:want P5][psm-padlock]
OS: Windows XP → All
Hardware: x86 → All
See Also: → 1068944
Version: unspecified → Trunk
Depends on: 1003738
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.