Closed Bug 197194 Opened 22 years ago Closed 9 years ago

Warn about page containing unencrypted data when meta refresh is present

Categories

(Core :: Security: PSM, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: ykoehler, Unassigned)

References

()

Details

At my web site, I use a non-encrypted page to present the login form. When the user presses login I point the form action to a secure site so that the information is being pass securely over the network. The user is then presented a web page over SSL. I use a meta refresh tag to bring it back to the non-ssl page so that he can continue to use the site with a less expensive overhead over the web server. As the rest of the information is not as critical as his password. Because I do want to provide identity protection and also protection against thief (many people re-use their password therefore using a secure way even for low important site is great). Anyway, when the meta refresh activate, the Mozilla browser shows a pop-up explaining that the encrypted page contained unencrypted data. Which actually is not true. Removing the meta refresh tag remove also the pop-up but I do expect my users to appreciate to automatic redirection to a new non-encrypted page where the secure information has not been inserted.
Well... an automatic redirect to a non-SSL page from an SSL one, possibly including form data in the url, is indeed something users should be warned about....
Well considering that there is already another warning for such event which is "Leaving a page that supports encryption" and that the site was trusted and therefore it would be a wierd thing for a trusted site to reveal information it first attempted to protect at cost (Valid SSL is not free!) I think that the warning is wrong. Once the data is transmitted to the site it still doesn't mean that this data is secure and therefore Mozilla should concentrate on warning on things it can be assured off or warn at all time where slight possible chance of leaking secure data exists which would first require Mozilla to be able to recognize what data (specific words) need to be secure (which actually would be a very good thing!).
I agree with Yannick, that this is the wrong warning. In my opinion, too, it should be the "you are leaving an encrpyted site"-warning!
ebay germany (not .com) uses the same method for the secure login and there it works for me! 1. goto www.ebay.de 2. click on "Einloggen" (german: sign in) 3. click on "Sicheres Einloggen (SSL)" (german: secure sign in) 4. enter your id and password (you can use your ebay.com-account!) 5. click on the button "Sicheres Einloggen" A secure page with meta-refresh=0 is loaded and the "you are leaving an encrypted page"-warning is shown before the MyEbay-page is loaded. -> WFM?
BTW: I'm using Mozilla 1.4 build 20030624 on WinXP
I for sure wasn't using 1.4 as the release was not out yet. I will have to do the test and verification.
Christian: can't confirm your described behavior. The "Herzlich willkommen bei eBay" page is still a https page. But when then clicking on the link to Mein-Ebay the described warning is displayed. Yannick: could you test with a current build? Using 2003121709
(In reply to comment #7) It seems that ebay has changed the page you are directed to after "Einloggen". Replace step 2 in my comment #4 with: 2. click on "Mein eBay" (german: "My eBay") to get the workflow I mentioned. -> WFM with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 on WinXP
Product: Browser → Seamonkey
- Is this bug still current? - Asa: are you still concerned with it?
No reply to comment #9 => resetting A+QA. Asa, if I misunderstood your silence, feel free to re-take this bug.
Assignee: asa → nobody
QA Contact: asa → general
Component: General → Security: PSM
Product: SeaMonkey → Core
QA Contact: general → psm
Most of these dialogs have been removed - I don't think this bug applies any longer.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.