Awesomebar design makes it easy to spoof security status

RESOLVED DUPLICATE of bug 1018994

Status

()

Firefox for Android
Theme and Visual Design
RESOLVED DUPLICATE of bug 1018994
2 years ago
2 years ago

People

(Reporter: April, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8688039 [details]
Is this page secure or not?

The Fennec awesomebar needs to either hide or clearly separate the favicon out of the address bar.

Firefox (Desktop) only shows the favicon for bookmarks and the like, and never shows it in the address bar.  Other mobile browsers behave the same way.  This makes it very clear what the security status of a website is.

See attachment for demonstration of this vulnerability.  If you know what you're looking for -- namely, the lack of the globe and the missing grayed out https -- you can tell that it's not a secure resource.  But I would hazard a guess that 90% of Fennec users would mistakenly think that the URL was secure when it was not.
(Reporter)

Comment 1

2 years ago
(that should read that you _can't_ tell that it's not a secure resource)

Comment 2

2 years ago
Unlike the real lock icon, tapping on this icon won't say your connection is secure.

But this is an issue that has come up in the past, maybe we need to revisit the decision to display favicons in the toolbar.
Flags: needinfo?(liuche)
Flags: needinfo?(alam)
(Reporter)

Comment 3

2 years ago
Sure, but I don't think many users think to tap the lock icon, especially when there are no other errors present.
This is a dupe of bug 1018994, I believe.
(Reporter)

Comment 5

2 years ago
Ah yes, it totally is, although it doesn't use the actual Fennec lock icon.  I missed that in my bugzilla search, when working on badssl.com.  We can mark this a duplicate if you wish, but it really should get fixed (imo).

sworkman: Given that it's now been an open and unfixed security bug for 2 years now, any problems with me adding it to the badssl.com website?
Flags: needinfo?(sworkman)
I guess since it's a known issue already per comment #4 we can dup this to bug 1018994. Re: putting on badssl.com, I think the Fennec folks would appreciate more time to decide how and when they're going to fix it.
Flags: needinfo?(sworkman)
Group: firefox-core-security
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1018994

Comment 8

2 years ago
Moved NI to the other bug.
Flags: needinfo?(liuche)
Flags: needinfo?(alam)
You need to log in before you can comment on or make changes to this bug.