Last Comment Bug 262689 - lock icon and certificates spoofable with "view-source:"
: lock icon and certificates spoofable with "view-source:"
Status: RESOLVED FIXED
[sg:fix]
: fixed-aviary1.0, fixed1.4.4, fixed1.7.5
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
-- critical (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on:
Blocks: lockicon
  Show dependency treegraph
 
Reported: 2004-10-03 03:45 PDT by bugzilla
Modified: 2005-01-24 13:41 PST (History)
6 users (show)
dveditz: blocking‑aviary1.0+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase (187 bytes, text/html)
2004-10-03 03:46 PDT, bugzilla
no flags Details
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode. (3.34 KB, patch)
2004-10-08 14:31 PDT, Johnny Stenback (:jst, jst@mozilla.com)
caillon: review+
dveditz: superreview+
asa: approval‑aviary+
asa: approval1.7.5+
Details | Diff | Splinter Review

Description User image bugzilla 2004-10-03 03:45:47 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

I found a security issue with "view-source:".

When I viewed the source of a secure site in the browser window (e.g.
"view-source:https://bugzilla.mozilla.org/" with a bookmarklet instead of
Ctrl+U), the lock icon and certificates were kept in the location bar. 

So I thought this bug can be used for the certificate spoofing.
I wrote simple testcase based on Bug 253121.

Reproducible: Always
Steps to Reproduce:
1. Load testcase
2. Right click page -> View Page Info, go to security tab
3. Notice that the site (mozilla.org) appears to be secure, 
   and the certificate from https://www.paypal.com/ is shown
Comment 1 User image bugzilla 2004-10-03 03:46:41 PDT
Created attachment 160910 [details]
Testcase
Comment 2 User image bugzilla 2004-10-03 03:49:23 PDT
Source of testcase:

<html>
<head>
<meta http-equiv="refresh" content="0;url=view-source:https://www.paypal.com/">
</head>
<body onunload="window.location.replace('http://www.mozilla.org/');"></body>
</html>
Comment 3 User image bugzilla 2004-10-03 05:25:47 PDT
Site name with lock icon on status bar (Firefox) is also spoofable.

[1] http://www.aaa.com/
     |
 (redirect) <= certificate of [2] https://www.bbb.com/
     | 
[3] http://www.ccc.com/

In this case, site name on status bar will be "www.aaa.com".
But if [3] is http://www.aaa.com/ddd/, it is easier to lead users to believe
that "www.aaa.com" is secure.

Once the certificate is issued, browser (tab) keeps it after that.
Comment 4 User image Daniel Veditz [:dveditz] 2004-10-04 10:32:19 PDT
->Johnny who fixed similar bug 253121
Confirming in both Firefox and Mozilla Suite.

Probably should block Aviary; presuming so, chofmann can clear if he disagrees.
Comment 5 User image bugzilla 2004-10-04 11:27:06 PDT
Bookmarklet I used:

  javascript: location.href = 'view-source:' + location.href;

Save on Bookmarks Toolbar, go to secure (https:) site, and just click it.
"view-source:" urls seem to bypass security checks :-(
Comment 6 User image Johnny Stenback (:jst, jst@mozilla.com) 2004-10-08 14:31:54 PDT
Created attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.
Comment 7 User image Christopher Aillon (sabbatical, not receiving bugmail) 2004-10-08 14:59:48 PDT
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

This makes sense, and if jst has tested it, all the better.  The old code was
bad, and this is a good change nonetheless.  r=caillon
Comment 8 User image Daniel Veditz [:dveditz] 2004-10-08 15:20:55 PDT
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

sr=dveditz
Comment 9 User image Asa Dotzler [:asa] 2004-10-08 15:33:30 PDT
Comment on attachment 161523 [details] [diff] [review]
Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode.

a=asa for branches checkins.
Comment 10 User image Johnny Stenback (:jst, jst@mozilla.com) 2004-10-08 15:59:11 PDT
Fixed on trunk and branches.
Comment 11 User image bugzilla 2004-10-09 20:17:24 PDT
I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
But location bar was still yellow when I opened the following link
view-source:https://bugzilla.mozilla.org/

Of course bookmarklet (see comment 5) produced the same result.

Is this ok?
Comment 12 User image Johnny Stenback (:jst, jst@mozilla.com) 2004-10-11 11:33:43 PDT
(In reply to comment #11)
> I confirmed that testcase didn't work with 2004-10-09 Branch for Mac.
> But location bar was still yellow when I opened the following link
> view-source:https://bugzilla.mozilla.org/
> 
> Of course bookmarklet (see comment 5) produced the same result.
> 
> Is this ok?

Yes, that's fine as long as the certs used are from the right host
(bugzilla.mozilla.org in this case) and not from any other site.
Comment 13 User image Daniel Veditz [:dveditz] 2005-01-24 13:41:56 PST
Security Advisories published, clearing confidential flag

Note You need to log in before you can comment on or make changes to this bug.