lock icon and certificates spoofable with "view-source:"

RESOLVED FIXED

Status

()

Core
Security
--
critical
RESOLVED FIXED
13 years ago
13 years ago

People

(Reporter: u115577, Assigned: jst)

Tracking

(Blocks: 1 bug, {fixed-aviary1.0, fixed1.4.4, fixed1.7.5})

Trunk
fixed-aviary1.0, fixed1.4.4, fixed1.7.5
Points:
---
Bug Flags:
blocking-aviary1.0 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix])

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

I found a security issue with "view-source:".

When I viewed the source of a secure site in the browser window (e.g.
"view-source:https://bugzilla.mozilla.org/" with a bookmarklet instead of
Ctrl+U), the lock icon and certificates were kept in the location bar. 

So I thought this bug can be used for the certificate spoofing.
I wrote simple testcase based on Bug 253121.

Reproducible: Always
Steps to Reproduce:
1. Load testcase
2. Right click page -> View Page Info, go to security tab
3. Notice that the site (mozilla.org) appears to be secure, 
   and the certificate from https://www.paypal.com/ is shown
(Reporter)

Comment 1

13 years ago
Created attachment 160910 [details]
Testcase
(Reporter)

Comment 2

13 years ago
Source of testcase:

<html>
<head>
<meta http-equiv="refresh" content="0;url=view-source:https://www.paypal.com/">
</head>
<body onunload="window.location.replace('http://www.mozilla.org/');"></body>
</html>
(Reporter)

Comment 3

13 years ago
Site name with lock icon on status bar (Firefox) is also spoofable.

[1] http://www.aaa.com/
     |
 (redirect) <= certificate of [2] https://www.bbb.com/
     | 
[3] http://www.ccc.com/

In this case, site name on status bar will be "www.aaa.com".
But if [3] is http://www.aaa.com/ddd/, it is easier to lead users to believe
that "www.aaa.com" is secure.

Once the certificate is issued, browser (tab) keeps it after that.
->Johnny who fixed similar bug 253121
Confirming in both Firefox and Mozilla Suite.

Probably should block Aviary; presuming so, chofmann can clear if he disagrees.
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.0+
Whiteboard: [sg:fix]
(Reporter)

Comment 5

13 years ago
Bookmarklet I used:

  javascript: location.href = 'view-source:' + location.href;

Save on Bookmarks Toolbar, go to secure (https:) site, and just click it.
"view-source:" urls seem to bypass security checks :-(
(Assignee)

Comment 6

13 years ago
Created attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.
(Assignee)

Updated

13 years ago
Attachment #161523 - Flags: superreview?(dveditz)
Attachment #161523 - Flags: review?(caillon)
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

This makes sense, and if jst has tested it, all the better.  The old code was
bad, and this is a good change nonetheless.  r=caillon
Attachment #161523 - Flags: review?(caillon) → review+

Updated

13 years ago
Whiteboard: [sg:fix] → [sg:fix] have need review dveditz
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

sr=dveditz
Attachment #161523 - Flags: superreview?(dveditz) → superreview+
(Assignee)

Updated

13 years ago
Attachment #161523 - Flags: approval1.7.x?
Attachment #161523 - Flags: approval-aviary?

Comment 9

13 years ago
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

a=asa for branches checkins.
Attachment #161523 - Flags: approval1.7.x?
Attachment #161523 - Flags: approval1.7.x+
Attachment #161523 - Flags: approval-aviary?
Attachment #161523 - Flags: approval-aviary+
(Assignee)

Comment 10

13 years ago
Fixed on trunk and branches.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Keywords: fixed-aviary1.0, fixed1.7.x
Resolution: --- → FIXED
(Reporter)

Comment 11

13 years ago
I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
But location bar was still yellow when I opened the following link
view-source:https://bugzilla.mozilla.org/

Of course bookmarklet (see comment 5) produced the same result.

Is this ok?
(Assignee)

Comment 12

13 years ago
(In reply to comment #11)
> I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
> But location bar was still yellow when I opened the following link
> view-source:https://bugzilla.mozilla.org/
> 
> Of course bookmarklet (see comment 5) produced the same result.
> 
> Is this ok?

Yes, that's fine as long as the certs used are from the right host
(bugzilla.mozilla.org in this case) and not from any other site.
Blocks: 130949
Whiteboard: [sg:fix] have need review dveditz → [sg:fix]
Keywords: fixed1.4.4
Security Advisories published, clearing confidential flag
Group: security
You need to log in before you can comment on or make changes to this bug.