Closed Bug 1150203 Opened 9 years ago Closed 9 years ago

https lock shown with self signed certificate

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
37 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1148328

People

(Reporter: s2, Unassigned)

Details

(Keywords: sec-critical) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150326190726

Steps to reproduce:

- create an http server on port 80 that returns an `Alt-Svc h2=":443"` header (http://look-a-lock-icon.31337.it)
- create an http2 server on port 443 on the same host with a self singed cert
- connect with firefox on port 80
- firefox reads the `Alt-Svc h2=":443"` header and tries to connect with opportunistic encryption, but...
- from the server return a 302 redirect to httpS://look-a-lock-icon.31337.it





Actual results:

firefox shows the secure lock icon in the url bar, without complaining that the cert is self signed


Expected results:

firefox should not show the secure lock icon and complain that the connection is not secure with an error:

look-a-lock-icon.31337.it uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_unknown_issuer)
i have a proof of concept here:
http://look-a-lock-icon.31337.it

i will keep this server up for a while for you to try.


on the backend there is a simple node app:

var express = require('express');
var app = express();

app.get('/', function (req, res) {
  if (req.headers['alt-used'] === '1') {
    res.redirect('https://look-a-lock-icon.31337.it');
    return;
  }
  if (req.headers['x-forwarded-proto'] === 'https') {
    res.send('look! a lock icon! this is a SECURE httpS site! with a self signed cert!!!');
    return;
  }
//  res.send(JSON.stringify(req.headers));
  res.redirect('http://look-a-lock-icon.31337.it');
});

var server = app.listen(22025, function () {

  var host = '127.0.0.1';
  var port = server.address().port;

  console.log('Example app listening at http://%s:%s', host, port);

});
Oh, and I think I am eligible for the Bug Bounty (https://www.mozilla.org/en-US/security/bug-bounty/).
Component: Untriaged → Security
Thanks, Simon. This looks like bug 1148328. As for bounty eligibility, I think Al would know.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(abillings)
Resolution: --- → DUPLICATE
If this is a duplicate of a previously reported issue, it is not eligible for a bounty, unfortunately.
Flags: needinfo?(abillings)
maybe "If two or more people report the bug together the reward will be divided among them."  ?
I think that phrase was meant to apply to partnerships and not bugs filed separately 5 days apart, but I'll nominate it for the bounty and see how it goes.
Flags: sec-bounty?
Component: Security → Networking: HTTP
Product: Firefox → Core
Group: network-core-security
Group: network-core-security
No security bounty because this issue was reported on the 27th by someone else.
Flags: sec-bounty? → sec-bounty-
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.