Last Comment Bug 262689 - lock icon and certificates spoofable with "view-source:"
: lock icon and certificates spoofable with "view-source:"
Status: RESOLVED FIXED
[sg:fix]
: fixed-aviary1.0, fixed1.4.4, fixed1.7.5
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
Mentors:
Depends on:
Blocks: lockicon
  Show dependency treegraph
 
Reported: 2004-10-03 03:45 PDT by bugzilla
Modified: 2005-01-24 13:41 PST (History)
6 users (show)
dveditz: blocking‑aviary1.0+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase (187 bytes, text/html)
2004-10-03 03:46 PDT, bugzilla
no flags Details
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode. (3.34 KB, patch)
2004-10-08 14:31 PDT, Johnny Stenback (:jst, jst@mozilla.com)
caillon: review+
dveditz: superreview+
asa: approval‑aviary+
asa: approval1.7.5+
Details | Diff | Review

Description bugzilla 2004-10-03 03:45:47 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

I found a security issue with "view-source:".

When I viewed the source of a secure site in the browser window (e.g.
"view-source:https://bugzilla.mozilla.org/" with a bookmarklet instead of
Ctrl+U), the lock icon and certificates were kept in the location bar. 

So I thought this bug can be used for the certificate spoofing.
I wrote simple testcase based on Bug 253121.

Reproducible: Always
Steps to Reproduce:
1. Load testcase
2. Right click page -> View Page Info, go to security tab
3. Notice that the site (mozilla.org) appears to be secure, 
   and the certificate from https://www.paypal.com/ is shown
Comment 1 bugzilla 2004-10-03 03:46:41 PDT
Created attachment 160910 [details]
Testcase
Comment 2 bugzilla 2004-10-03 03:49:23 PDT
Source of testcase:

<html>
<head>
<meta http-equiv="refresh" content="0;url=view-source:https://www.paypal.com/">
</head>
<body onunload="window.location.replace('http://www.mozilla.org/');"></body>
</html>
Comment 3 bugzilla 2004-10-03 05:25:47 PDT
Site name with lock icon on status bar (Firefox) is also spoofable.

[1] http://www.aaa.com/
     |
 (redirect) <= certificate of [2] https://www.bbb.com/
     | 
[3] http://www.ccc.com/

In this case, site name on status bar will be "www.aaa.com".
But if [3] is http://www.aaa.com/ddd/, it is easier to lead users to believe
that "www.aaa.com" is secure.

Once the certificate is issued, browser (tab) keeps it after that.
Comment 4 Daniel Veditz [:dveditz] 2004-10-04 10:32:19 PDT
->Johnny who fixed similar bug 253121
Confirming in both Firefox and Mozilla Suite.

Probably should block Aviary; presuming so, chofmann can clear if he disagrees.
Comment 5 bugzilla 2004-10-04 11:27:06 PDT
Bookmarklet I used:

  javascript: location.href = 'view-source:' + location.href;

Save on Bookmarks Toolbar, go to secure (https:) site, and just click it.
"view-source:" urls seem to bypass security checks :-(
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2004-10-08 14:31:54 PDT
Created attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.
Comment 7 Christopher Aillon (sabbatical, not receiving bugmail) 2004-10-08 14:59:48 PDT
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

This makes sense, and if jst has tested it, all the better.  The old code was
bad, and this is a good change nonetheless.  r=caillon
Comment 8 Daniel Veditz [:dveditz] 2004-10-08 15:20:55 PDT
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

sr=dveditz
Comment 9 Asa Dotzler [:asa] 2004-10-08 15:33:30 PDT
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

a=asa for branches checkins.
Comment 10 Johnny Stenback (:jst, jst@mozilla.com) 2004-10-08 15:59:11 PDT
Fixed on trunk and branches.
Comment 11 bugzilla 2004-10-09 20:17:24 PDT
I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
But location bar was still yellow when I opened the following link
view-source:https://bugzilla.mozilla.org/

Of course bookmarklet (see comment 5) produced the same result.

Is this ok?
Comment 12 Johnny Stenback (:jst, jst@mozilla.com) 2004-10-11 11:33:43 PDT
(In reply to comment #11)
> I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
> But location bar was still yellow when I opened the following link
> view-source:https://bugzilla.mozilla.org/
> 
> Of course bookmarklet (see comment 5) produced the same result.
> 
> Is this ok?

Yes, that's fine as long as the certs used are from the right host
(bugzilla.mozilla.org in this case) and not from any other site.
Comment 13 Daniel Veditz [:dveditz] 2005-01-24 13:41:56 PST
Security Advisories published, clearing confidential flag

Note You need to log in before you can comment on or make changes to this bug.