Closed
Bug 197194
Opened 22 years ago
Closed 9 years ago
Warn about page containing unencrypted data when meta refresh is present
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: ykoehler, Unassigned)
References
()
Details
At my web site, I use a non-encrypted page to present the login form. When the
user presses login I point the form action to a secure site so that the
information is being pass securely over the network.
The user is then presented a web page over SSL. I use a meta refresh tag to
bring it back to the non-ssl page so that he can continue to use the site with a
less expensive overhead over the web server. As the rest of the information is
not as critical as his password.
Because I do want to provide identity protection and also protection against
thief (many people re-use their password therefore using a secure way even for
low important site is great).
Anyway, when the meta refresh activate, the Mozilla browser shows a pop-up
explaining that the encrypted page contained unencrypted data. Which actually
is not true. Removing the meta refresh tag remove also the pop-up but I do
expect my users to appreciate to automatic redirection to a new non-encrypted
page where the secure information has not been inserted.
Comment 1•22 years ago
|
||
Well... an automatic redirect to a non-SSL page from an SSL one, possibly
including form data in the url, is indeed something users should be warned about....
Reporter | ||
Comment 2•22 years ago
|
||
Well considering that there is already another warning for such event which is
"Leaving a page that supports encryption" and that the site was trusted and
therefore it would be a wierd thing for a trusted site to reveal information it
first attempted to protect at cost (Valid SSL is not free!) I think that the
warning is wrong.
Once the data is transmitted to the site it still doesn't mean that this data is
secure and therefore Mozilla should concentrate on warning on things it can be
assured off or warn at all time where slight possible chance of leaking secure
data exists which would first require Mozilla to be able to recognize what data
(specific words) need to be secure (which actually would be a very good thing!).
Comment 3•21 years ago
|
||
I agree with Yannick, that this is the wrong warning. In my opinion, too, it
should be the "you are leaving an encrpyted site"-warning!
Comment 4•21 years ago
|
||
ebay germany (not .com) uses the same method for the secure login and there it
works for me!
1. goto www.ebay.de
2. click on "Einloggen" (german: sign in)
3. click on "Sicheres Einloggen (SSL)" (german: secure sign in)
4. enter your id and password (you can use your ebay.com-account!)
5. click on the button "Sicheres Einloggen"
A secure page with meta-refresh=0 is loaded and the "you are leaving an
encrypted page"-warning is shown before the MyEbay-page is loaded.
-> WFM?
Comment 5•21 years ago
|
||
BTW: I'm using Mozilla 1.4 build 20030624 on WinXP
Reporter | ||
Comment 6•21 years ago
|
||
I for sure wasn't using 1.4 as the release was not out yet. I will have to do
the test and verification.
Comment 7•21 years ago
|
||
Christian: can't confirm your described behavior. The "Herzlich willkommen bei
eBay" page is still a https page. But when then clicking on the link to
Mein-Ebay the described warning is displayed.
Yannick: could you test with a current build?
Using 2003121709
Comment 8•21 years ago
|
||
(In reply to comment #7)
It seems that ebay has changed the page you are directed to after "Einloggen".
Replace step 2 in my comment #4 with:
2. click on "Mein eBay" (german: "My eBay")
to get the workflow I mentioned.
-> WFM
with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 on WinXP
Updated•20 years ago
|
Product: Browser → Seamonkey
Comment 9•17 years ago
|
||
- Is this bug still current?
- Asa: are you still concerned with it?
Comment 10•16 years ago
|
||
No reply to comment #9 => resetting A+QA. Asa, if I misunderstood your silence, feel free to re-take this bug.
Assignee: asa → nobody
QA Contact: asa → general
Component: General → Security: PSM
Product: SeaMonkey → Core
QA Contact: general → psm
Comment 11•9 years ago
|
||
Most of these dialogs have been removed - I don't think this bug applies any longer.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•