Closed
Bug 1150203
Opened 9 years ago
Closed 9 years ago
https lock shown with self signed certificate
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1148328
People
(Reporter: s2, Unassigned)
Details
(Keywords: sec-critical)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150326190726 Steps to reproduce: - create an http server on port 80 that returns an `Alt-Svc h2=":443"` header (http://look-a-lock-icon.31337.it) - create an http2 server on port 443 on the same host with a self singed cert - connect with firefox on port 80 - firefox reads the `Alt-Svc h2=":443"` header and tries to connect with opportunistic encryption, but... - from the server return a 302 redirect to httpS://look-a-lock-icon.31337.it Actual results: firefox shows the secure lock icon in the url bar, without complaining that the cert is self signed Expected results: firefox should not show the secure lock icon and complain that the connection is not secure with an error: look-a-lock-icon.31337.it uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_unknown_issuer)
i have a proof of concept here: http://look-a-lock-icon.31337.it i will keep this server up for a while for you to try. on the backend there is a simple node app: var express = require('express'); var app = express(); app.get('/', function (req, res) { if (req.headers['alt-used'] === '1') { res.redirect('https://look-a-lock-icon.31337.it'); return; } if (req.headers['x-forwarded-proto'] === 'https') { res.send('look! a lock icon! this is a SECURE httpS site! with a self signed cert!!!'); return; } // res.send(JSON.stringify(req.headers)); res.redirect('http://look-a-lock-icon.31337.it'); }); var server = app.listen(22025, function () { var host = '127.0.0.1'; var port = server.address().port; console.log('Example app listening at http://%s:%s', host, port); });
Oh, and I think I am eligible for the Bug Bounty (https://www.mozilla.org/en-US/security/bug-bounty/).
Thanks, Simon. This looks like bug 1148328. As for bounty eligibility, I think Al would know.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(abillings)
Resolution: --- → DUPLICATE
Comment 4•9 years ago
|
||
If this is a duplicate of a previously reported issue, it is not eligible for a bounty, unfortunately.
Flags: needinfo?(abillings)
maybe "If two or more people report the bug together the reward will be divided among them." ?
Comment 6•9 years ago
|
||
I think that phrase was meant to apply to partnerships and not bugs filed separately 5 days apart, but I'll nominate it for the bounty and see how it goes.
Flags: sec-bounty?
Updated•9 years ago
|
Component: Security → Networking: HTTP
Product: Firefox → Core
Updated•9 years ago
|
Group: network-core-security
Updated•9 years ago
|
Group: network-core-security
Comment 7•9 years ago
|
||
No security bounty because this issue was reported on the 27th by someone else.
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Keywords: sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•