SSL spoof when a malformed Content-Type is returned in 4xx pages

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
5 months ago
5 months ago

People

(Reporter: Mustafa Hasan (strukt), Unassigned)

Tracking

45 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 months ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20170419042421

Steps to reproduce:

Visit http://strukt.tk/pocs/ffsslspoof.html and click the link in the page, notice that the page gets the SSL icon even though it's served over HTTP.


Actual results:

When a 4xx response is returned, along with a malformed value for the Content-Type header (such as Content-Type: ; charset=utf-8), if the requested page was requested over HTTPS, the original page requesting the 4xx page gets the SSL lock automatically.


Expected results:

The original page shouldn't get an SSL lock icon.
45 ESR is end of life already - the next Firefox release will be against the newer 52 ESR. Can you reproduce on a current version of Firefox, on a clean profile? I can't reproduce on 54 beta (https://beta.mozilla.org/ ) on OS X, or on Windows with a downloaded 45 nightly from December last year... Potentially relevant: the link points me to an SSL error page because the cert on the link target doesn't match the cert domain.

If I accept the cert exception, I see an ssl lock for https://console.prod.gnip.com/profile.php . As best I can tell that transfer actually happened over SSL and the lock (and the detailed information about the cert when opening the identity popup from the lock) are all correct. If this is also what you're seeing, can you elaborate on how it's wrong? If you're seeing something else, can you describe and/or screencast what you're seeing instead?
Flags: needinfo?(strukt93)
(Reporter)

Updated

5 months ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 months ago
Flags: needinfo?(strukt93)
Resolution: --- → INVALID
Unhiding given the reporter resolved as invalid...
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.