Closed Bug 187302 Opened 22 years ago Closed 22 years ago

going from https to http briefly makes the security indicator go red

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 165301

People

(Reporter: brant, Assigned: ssaux)

References

(
URL
)

Details

(Keywords: smoketest) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20021231
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20021231

When going from https to http at sourceforge.net, the security indicator briefly
goes red.

Reproducible: Always

Steps to Reproduce:
1. Go to https://sourceforge.net/. (notice secure indicator)
2. Go to http://soruceforge.net/. (notice secure indicator)
Actual Results:  
Security indicator turns red going from secure to insecure version

Expected Results:  
The indicator should not turn red.

There is the possibility of a user thinking his or her information became
vulnerable.
This was smoketest B.18.
Keywords: smoketest
I'm not seeing this. Maybe sourceforge redirects through a mixed content page,
and your connection is slow enough to let it be noticeable. Try visiting
https://www.verisign.com and http://www.verisign.com
Component: Daemon → Client Library
Version: unspecified → 2.4
I'm not even seeing a warning when the SSL pref is checked "Viewing a page with
an encrypted/unenecrypted mix"
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Brant, is your disk cache set to zero?

Disk Cache not set to 0.  The same thing happens at VeriSign.  I am manually
entering the two address, not using a link of any kind therefore no redirection
would be happening.

More specific steps to reproduce:
1. Enter a secure URL in the address bar.  Wait for page to load.  (security
indicator should be yellow with Modern theme)
2. Enter a non-secure URL in the address bar.  The security indicator briefly
turns red and then to gray as the new URL is connected.

If I use the Forward/Back buttons after doing this, the security indicator acts
as expected.  I see no Red state.

I am on a 56K connection so this may be a cokntributing factor in me seeing the
red indicator and not you, but it still seems like a bug to me.  A user might
think information was briefly insecure.

I tried double-clicking the indicator while it was red and it tells me the
certificate is okay.

I further tested and went to https://www.verisign.com/partners/index.html.  I
then clicked the insecure link for Domain Resellers and the security indicator
did not turn Red.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Brant, could you do one more test?

Please make sure that you have all the warnings enabled in
"edit/prefs/privacy/ssl/ssl warnings".

I would like to find out whether we are really explicitly changing the mode to
broken, or whether this it is some sideeffect that you see a red icon.

I expect you should see the messages "entering secure site" in step 1 and
"leaving secure site" in step 2.

Do you see a third message in between?

I only receive the two messages you mention.  With all the warning enabled, I do
not see a red security indicator.  I will attempt to narrow down which warning
to turn off to see the red security indicator.

Conditions that produced red indicator.
All warning off
Loading with Low Encryption on
Loading with Encryption on
Sending from unencrypted to unencrypted on
(or any combination above)

with Loading with Mix on, I receive a message saying that I am loading a
encrypted page with unencrypted content, no red indicator

with all on, I received the mixed warning (no red indicator)
and then the leaving encrypted page (red indicator)

It looks like there is a problem in the area of the mixed content warning since
that should not even be appearing.

This time, I could not reproduce it going from https to http at sourceforge.net,
but I could reproduce it going from https://sourceforge.net/ to
http://somethingElse and from https://verisign.com to http://something else
This should be fixed in the Jan 29 nightly build.

*** This bug has been marked as a duplicate of 165301 ***
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → DUPLICATE
Unfortunately I have found additional problems.
Please have a look at bug 191212.
Verified dupe.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.