Closed
Bug 1225229
Opened 9 years ago
Closed 9 years ago
Awesomebar design makes it easy to spoof security status
Categories
(Firefox for Android Graveyard :: Theme and Visual Design, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1018994
People
(Reporter: April, Unassigned)
Details
Attachments
(1 file)
108.38 KB,
image/png
|
Details |
The Fennec awesomebar needs to either hide or clearly separate the favicon out of the address bar. Firefox (Desktop) only shows the favicon for bookmarks and the like, and never shows it in the address bar. Other mobile browsers behave the same way. This makes it very clear what the security status of a website is. See attachment for demonstration of this vulnerability. If you know what you're looking for -- namely, the lack of the globe and the missing grayed out https -- you can tell that it's not a secure resource. But I would hazard a guess that 90% of Fennec users would mistakenly think that the URL was secure when it was not.
Reporter | ||
Comment 1•9 years ago
|
||
(that should read that you _can't_ tell that it's not a secure resource)
Comment 2•9 years ago
|
||
Unlike the real lock icon, tapping on this icon won't say your connection is secure. But this is an issue that has come up in the past, maybe we need to revisit the decision to display favicons in the toolbar.
Flags: needinfo?(liuche)
Flags: needinfo?(alam)
Reporter | ||
Comment 3•9 years ago
|
||
Sure, but I don't think many users think to tap the lock icon, especially when there are no other errors present.
Comment 4•9 years ago
|
||
This is a dupe of bug 1018994, I believe.
Reporter | ||
Comment 5•9 years ago
|
||
Ah yes, it totally is, although it doesn't use the actual Fennec lock icon. I missed that in my bugzilla search, when working on badssl.com. We can mark this a duplicate if you wish, but it really should get fixed (imo). sworkman: Given that it's now been an open and unfixed security bug for 2 years now, any problems with me adding it to the badssl.com website?
Flags: needinfo?(sworkman)
Comment 6•9 years ago
|
||
I guess since it's a known issue already per comment #4 we can dup this to bug 1018994. Re: putting on badssl.com, I think the Fennec folks would appreciate more time to decide how and when they're going to fix it.
Flags: needinfo?(sworkman)
Updated•9 years ago
|
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•