Closed Bug 1680244 Opened 5 years ago Closed 5 years ago

Firefox 83 hides information about the connection when requesting a pdf file from a remote unsecure resource

Categories

(Firefox :: Site Identity, defect)

Product:
Firefox
Component:
Site Identity
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1667965

People

(Reporter: andreadari91, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

Firefox 83.png
443.77 KB, image/png
Details
Firefox 78.5 esr.png
565.04 KB, image/png
Details
Attached image Firefox 83.png

Using Firefox 83 to request and open a pdf file from a remote unsecure resource (http), clicking on the icon for information on the address bar, does not show any information about the connection used to retrieve the file as you can see in the "Firefox 83.png" attachment.
Firefox reports only a generic: "This page is stored in your computer".
This happens not only when the file is cached but when it is retrieved from the remote resource for the first time.
See the developer tools in the same screenshot with the network requests.

Instead the same thing with Firefox 78.5 ESR as you can see from the other screenshot I have attached to this report "Firefox 78.5 esr.png", it is shown in the correct way reporting in the connection information a "Connection not secure" as it should be.

Flags: sec-bounty?
Attached image Firefox 78.5 esr.png

Johann, can you take a look? This seems unfortunate.

Type: task → defect
Component: Security → Site Identity
Flags: needinfo?(jhofmann)
Keywords: regression, regressionwindow-wanted

This isn't really a "vulnerability" (something that could be used to attack users) so we can unhide this. As a workaround people can check the status in DevTools (as shown in the picture) but this definitely ought to get fixed.

Note that in the original "working" picture we're not showing a lock either, possibly confused by the fact that the document is actually an internal resource: page that has processed the downloaded PDF data.

Might also be something the PDF folks did, or maybe some Fission refactoring led to us losing information about the original source.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(bdahl)
Group: firefox-core-security
QA Whiteboard: [qa-regression-triage]

Daniel, in Firefox 78.5 ESR in the address bar is shown an information icon which prior to Firefox 70 release means unsecure connection as stated here: https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/
In this article is stated "We also announced our intent to expand by showing a negative indicator for all HTTP pages as HTTPS adoption increases" and again "We will remove the “information” icon. The lock icon will be the new entry point for accessing security and identity information about the website.", so in this case I think this change has been left behind maybe for mistake.
And in fact clicking on it shows the unsecure connection info and it gives the possibility to "Clear cookies and site data", Firefox reconize the original resource.

This is not the case of Firefox 83 where the user is tricked to think that is all ok with the connection, think about a site serving on https and redirecting its users when requesting a pdf on a resource of the same site but http, Firefox gives an erroneus information "This page is stored on your computer" which is not true, has been retrieved from an unsecure resource, so can be manipulated or tampered, eavesdropped etc.

For me is a security issue no doubt. It should have been hidden.

Flags: needinfo?(dveditz)

"We will remove the “information” icon. The lock icon will be the new entry point for accessing security and identity information about the website.", so in this case I think this change has been left behind maybe for mistake.

I'll leave the final determination to Johann, but I think it's a symptom of the same issue. When we display a PDF, the document shown is not actually the literal contents of the displayed URL, but rather a local document template into which the processed PDF data is painted. It looks like we've changed the icon we use for this case, but they mean the same thing so that part has been broken for a long time. Users shouldn't have to open up the site identity panel to find out whether a document was loaded securely or not, it should show the lock state. There appears to be an additional regression in the contents of the site information box when you click on the icon. Arguably two separate bugs, one more recent than the other.

Firefox gives an erroneus information "This page is stored on your computer" which is not true, has been retrieved from an unsecure resource

Yes, that's definitely a bug. It's apparently reporting the state of the internal template document used to process the PDF data. The addressbar in the PDF case has always been a bit of a lie so we're showing something that reflects the user's mental model of what's going on rather than leaking irrelevant details about our internal processing model. We apparently didn't account for our need to lie in some recent change :-)

For me is a security issue no doubt. It should have been hidden.

Those are two separate things. Yes, it has a negative security impact for users, but it doesn't need to be hidden. Exposing this doesn't make it any more or less useful as a way to attack people, and perhaps being public will help people know they have to be careful.

Flags: needinfo?(dveditz)
Keywords: csectype-spoof, sec-low

Yeah I agree this isn't great but also not a security vulnerability in itself, it's also a dupe of bug 1667965

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jhofmann)
Flags: needinfo?(bdahl)
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: