1149028 - SHA-1 certificate violation log on Fennec leaks sensitive info in URL

Status: RESOLVED DUPLICATE of bug 1149094

(Firefox for Android Graveyard :: General, defect)

Description

[Muneaki Nishimura]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

Steps to reproduce:

1. Install Fennec to an Android device which version is less than 4.0.
2. Launch https://www.google.com/#SECRET_IS_HERE
3. Login to Google
4. Search something with Google


Actual results:

Accessed all URLs contains query string and fragment are put to Logcat like below.

W/GeckoConsole( 2738): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://www.google.com/#SECRET_IS_HERE" line: 0}]

W/GeckoConsole( 2738): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://www.google.co.jp/?gfe_rd=cr&ei=GesYVZa#SECRET_IS_HERE" line: 0}]

W/GeckoConsole( 2738): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://www.google.co.jp/search?q=SEARCHWORD&oq=SEARCHWORD" line: 0}]

On Android 4.0 or less, any application having android.permission.READ_LOGS permission can retrieve other application's log data. And also, it may be sent to the third party as crash logs. So, sensitive information may be leaked.


Expected results:

SHA-1 certificate violation log should remove detailed information from accessed URL.

Comment 1

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

This is the same as bug 1149094. Browser console on logcat.