Closed
Bug 187302
Opened 22 years ago
Closed 22 years ago
going from https to http briefly makes the security indicator go red
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 165301
People
(Reporter: brant, Assigned: ssaux)
References
()
Details
(Keywords: smoketest)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20021231 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20021231 When going from https to http at sourceforge.net, the security indicator briefly goes red. Reproducible: Always Steps to Reproduce: 1. Go to https://sourceforge.net/. (notice secure indicator) 2. Go to http://soruceforge.net/. (notice secure indicator) Actual Results: Security indicator turns red going from secure to insecure version Expected Results: The indicator should not turn red. There is the possibility of a user thinking his or her information became vulnerable.
Comment 2•22 years ago
|
||
I'm not seeing this. Maybe sourceforge redirects through a mixed content page, and your connection is slow enough to let it be noticeable. Try visiting https://www.verisign.com and http://www.verisign.com
Component: Daemon → Client Library
Version: unspecified → 2.4
Comment 3•22 years ago
|
||
I'm not even seeing a warning when the SSL pref is checked "Viewing a page with an encrypted/unenecrypted mix"
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Comment 4•22 years ago
|
||
Brant, is your disk cache set to zero?
Reporter | ||
Comment 5•22 years ago
|
||
Disk Cache not set to 0. The same thing happens at VeriSign. I am manually entering the two address, not using a link of any kind therefore no redirection would be happening. More specific steps to reproduce: 1. Enter a secure URL in the address bar. Wait for page to load. (security indicator should be yellow with Modern theme) 2. Enter a non-secure URL in the address bar. The security indicator briefly turns red and then to gray as the new URL is connected. If I use the Forward/Back buttons after doing this, the security indicator acts as expected. I see no Red state. I am on a 56K connection so this may be a cokntributing factor in me seeing the red indicator and not you, but it still seems like a bug to me. A user might think information was briefly insecure. I tried double-clicking the indicator while it was red and it tells me the certificate is okay. I further tested and went to https://www.verisign.com/partners/index.html. I then clicked the insecure link for Domain Resellers and the security indicator did not turn Red.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Comment 6•22 years ago
|
||
Brant, could you do one more test? Please make sure that you have all the warnings enabled in "edit/prefs/privacy/ssl/ssl warnings". I would like to find out whether we are really explicitly changing the mode to broken, or whether this it is some sideeffect that you see a red icon. I expect you should see the messages "entering secure site" in step 1 and "leaving secure site" in step 2. Do you see a third message in between?
Reporter | ||
Comment 7•22 years ago
|
||
I only receive the two messages you mention. With all the warning enabled, I do not see a red security indicator. I will attempt to narrow down which warning to turn off to see the red security indicator. Conditions that produced red indicator. All warning off Loading with Low Encryption on Loading with Encryption on Sending from unencrypted to unencrypted on (or any combination above) with Loading with Mix on, I receive a message saying that I am loading a encrypted page with unencrypted content, no red indicator with all on, I received the mixed warning (no red indicator) and then the leaving encrypted page (red indicator) It looks like there is a problem in the area of the mixed content warning since that should not even be appearing. This time, I could not reproduce it going from https to http at sourceforge.net, but I could reproduce it going from https://sourceforge.net/ to http://somethingElse and from https://verisign.com to http://something else
Comment 8•22 years ago
|
||
This should be fixed in the Jan 29 nightly build. *** This bug has been marked as a duplicate of 165301 ***
Status: REOPENED → RESOLVED
Closed: 22 years ago → 22 years ago
Resolution: --- → DUPLICATE
Comment 9•22 years ago
|
||
Unfortunately I have found additional problems. Please have a look at bug 191212.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•