Closed Bug 262689 Opened 15 years ago Closed 15 years ago
lock icon and certificates spoofable with "view-source:"
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ja-JP; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 I found a security issue with "view-source:". When I viewed the source of a secure site in the browser window (e.g. "view-source:https://bugzilla.mozilla.org/" with a bookmarklet instead of Ctrl+U), the lock icon and certificates were kept in the location bar. So I thought this bug can be used for the certificate spoofing. I wrote simple testcase based on Bug 253121. Reproducible: Always Steps to Reproduce: 1. Load testcase 2. Right click page -> View Page Info, go to security tab 3. Notice that the site (mozilla.org) appears to be secure, and the certificate from https://www.paypal.com/ is shown
Source of testcase: <html> <head> <meta http-equiv="refresh" content="0;url=view-source:https://www.paypal.com/"> </head> <body onunload="window.location.replace('http://www.mozilla.org/');"></body> </html>
Site name with lock icon on status bar (Firefox) is also spoofable.  http://www.aaa.com/ | (redirect) <= certificate of  https://www.bbb.com/ |  http://www.ccc.com/ In this case, site name on status bar will be "www.aaa.com". But if  is http://www.aaa.com/ddd/, it is easier to lead users to believe that "www.aaa.com" is secure. Once the certificate is issued, browser (tab) keeps it after that.
->Johnny who fixed similar bug 253121 Confirming in both Firefox and Mozilla Suite. Probably should block Aviary; presuming so, chofmann can clear if he disagrees.
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 161523 [details] [diff] [review] Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode. This makes sense, and if jst has tested it, all the better. The old code was bad, and this is a good change nonetheless. r=caillon
Attachment #161523 - Flags: review?(caillon) → review+
Comment on attachment 161523 [details] [diff] [review] Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode. sr=dveditz
Attachment #161523 - Flags: superreview?(dveditz) → superreview+
Comment on attachment 161523 [details] [diff] [review] Fix. Don't let nsSecureBrowserUIImpl get stuck in view-source mode. a=asa for branches checkins.
Fixed on trunk and branches.
I confirmed that testcase didn't work with 2004-10-09 Branch for Mac. But location bar was still yellow when I opened the following link view-source:https://bugzilla.mozilla.org/ Of course bookmarklet (see comment 5) produced the same result. Is this ok?
(In reply to comment #11) > I confirmed that testcase didn't work with 2004-10-09 Branch for Mac. > But location bar was still yellow when I opened the following link > view-source:https://bugzilla.mozilla.org/ > > Of course bookmarklet (see comment 5) produced the same result. > > Is this ok? Yes, that's fine as long as the certs used are from the right host (bugzilla.mozilla.org in this case) and not from any other site.
Whiteboard: [sg:fix] have need review dveditz → [sg:fix]
15 years ago
Security Advisories published, clearing confidential flag
You need to log in before you can comment on or make changes to this bug.