Closed Bug 119112 Opened 23 years ago Closed 22 years ago

Don't show "entering secure site", etc. if redirected to insecure immediately

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: mpt)

References

(
URL
)

Details

The last three dialogs shown while logging into Hotmail are unnecessary:
 "You have requested an encrypted page", immediately followed by
 "Form submission from https to http" and
 "You are about to leave an encrypted page".

None of these dialogs should be shown.  Instead, Mozilla should pretend that 
nothing was encrypted, since no *page* displayed was encrypted.
Blocks: 119114
I'm guessing IE has zero impediments to hotmail login?
I get 0 dialogs logging into Hotmail using IE.  With my Mozilla profile, I only
get "Form submission from https to http".  A clean Mozilla profile gives 5-6
dialogs (bug 119114), but I don't have a clean IE installation to test.
I'm still seing this with build id 2002032203 (win98)

Hotmail login process goes like this:

1-moz displays logon form fetched with HTTP
2-logon form with password submitted to hotmail via HTTPS
3-response received contains redirection to inbox via HTTP
3b-warning is displayed by moz, user click continue
4-redirection is followed and inbox appears.

Step 3b message is  "although this page is encrypted, the information you are
entered is to be sent over an unencrypted connection...."

I have difficulties intercepting the actual redirect because it is encrypted but
I'm pretty sure the user password is not sent over the unencrypted connection.

We can expect more and more site to use the hotmail technique for password
transmission since it provides a nice balance between secure (password over
HTTPS) but not overkill (all other pages over HTTP).

It would be nice to consider the form has been sent via HTTPS, and consider the
redirect to be the same as if the user followed a HTTP GET link on a HTTP page:
switching to a less secure page but not actually POSTing to it. After all, a
redirect is always a GET.
Summary: Don't show "entering secure site" if redirected to insecure immediately → Don't show "entering secure site", etc. if redirected to insecure immediately
WFM at www.hotmail.com and at www.passport.com.  I think this is because Hotmail
changed, not because Mozilla changed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Component: User Interface Design → Browser-General
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.