Closed Bug 1225229 Opened 9 years ago Closed 9 years ago

Awesomebar design makes it easy to spoof security status

Categories

(Firefox for Android Graveyard :: Theme and Visual Design, defect)

Product:
Firefox for Android Graveyard
Component:
Theme and Visual Design
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1018994

People

(Reporter: April, Unassigned)

Details

Attachments

(1 file)

Is this page secure or not?
108.38 KB, image/png
Details 
The Fennec awesomebar needs to either hide or clearly separate the favicon out of the address bar.

Firefox (Desktop) only shows the favicon for bookmarks and the like, and never shows it in the address bar.  Other mobile browsers behave the same way.  This makes it very clear what the security status of a website is.

See attachment for demonstration of this vulnerability.  If you know what you're looking for -- namely, the lack of the globe and the missing grayed out https -- you can tell that it's not a secure resource.  But I would hazard a guess that 90% of Fennec users would mistakenly think that the URL was secure when it was not.
(that should read that you _can't_ tell that it's not a secure resource)
Unlike the real lock icon, tapping on this icon won't say your connection is secure.

But this is an issue that has come up in the past, maybe we need to revisit the decision to display favicons in the toolbar.
Flags: needinfo?(liuche)
Flags: needinfo?(alam)
Sure, but I don't think many users think to tap the lock icon, especially when there are no other errors present.
This is a dupe of bug 1018994, I believe.
Ah yes, it totally is, although it doesn't use the actual Fennec lock icon.  I missed that in my bugzilla search, when working on badssl.com.  We can mark this a duplicate if you wish, but it really should get fixed (imo).

sworkman: Given that it's now been an open and unfixed security bug for 2 years now, any problems with me adding it to the badssl.com website?
Flags: needinfo?(sworkman)
I guess since it's a known issue already per comment #4 we can dup this to bug 1018994. Re: putting on badssl.com, I think the Fennec folks would appreciate more time to decide how and when they're going to fix it.
Flags: needinfo?(sworkman)
Group: firefox-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Moved NI to the other bug.
Flags: needinfo?(liuche)
Flags: needinfo?(alam)
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: