Closed Bug 263182 Opened 16 years ago Closed 15 years ago

Page Info (Security tab) doesn't explain mixed secure/insecure

Categories

(Firefox :: Page Info Window, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Firefox1.5

People

(Reporter: nmichalu, Assigned: Gavin)

References

()

Details

(Keywords: fixed1.8, Whiteboard: [sg:nse][l10n impact])

Attachments

(2 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041006 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041006 Firefox/0.10.1

In HTTPS sites that are setup so that some of the information is properly coming
through HTTPS but some of the info comes through insecure HTTP, the lock icon
changes to one with a slash in it (it didnt do that in previous releases- good
job!) However when you click on the lock to find out WHY this is the case, there
is no information, just the normal identity verified and connection encrypted
messages. There should be, in this special case, a little explanation as to why
the lock icon has the slash through it, and perhaps even a dialogue for the user
the first time such a situation is encountered.

Reproducible: Always
Steps to Reproduce:
1.visit an HTTPS site where some of the elements come from a standard HTTP
connection
2.click on the lock icon with the slash through it
3.notice there is no mention as to WHY that slash is there

Actual Results:  
normal identity verified and connection encrypted messages

Expected Results:  
same but also mentioned that the page contained some insecure items and this was
the source of the broken lock
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: If HTTPS site contains both secure and insecure items, lock does change to broken but no info if clicked → Page Info (Security tab) doesn't explain mixed secure/insecure
*** Bug 284658 has been marked as a duplicate of this bug. ***
Is this really a Firefox bug? Doesn't this dialog come from PSM, or does Firefox
have its own version? I bet the Suite has the same problem.
Flags: blocking-aviary1.1?
Whiteboard: [sg:fix]
Flags: blocking-aviary1.1? → blocking-aviary1.1+
i'm fairly certain pageinfo is forked, so it's a firefox bug with a parallel
seamonkey bug
Page Info is forked, but they both use the same overlay (
http://lxr.mozilla.org/seamonkey/source/security/manager/pki/resources/content/PageInfoOverlay.xul
). I'm thinking that adding a description for mixed content should be relatively
easy.

This probably belongs in Core:Security UI, but I'll leave it as is for now.
Assignee: bugs → gavin.sharp
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → Firefox1.1
Version: unspecified → Trunk
Status: NEW → ASSIGNED
Does anyone have a link to a mixed content page for testing?
Any XUL attachment with a chrome://global/skin stylesheet will trigger it.
(In reply to comment #6)
> Any XUL attachment with a chrome://global/skin stylesheet will trigger it.

That doesn't seem to be the case, see for example attachment 142844 [details].
I'm not going to be able to do this any time soon.
Assignee: gavin.sharp → bugs
Status: ASSIGNED → NEW
Mike: you're in charge of deciding what this should say, then find someone to do
any code changes required.
Assignee: bugs → mike
Whiteboard: [sg:fix] → [sg:fix][l10n impact]
Flags: blocking-aviary1.5+ → blocking1.8b4?
Suggested text for mixed content pages -- the last line is an existing entity,
and we can reuse it in order to minimize l10n impact:

---------------------------------------------------------------

<b>Connection Partially Encrypted</b>

Parts of the page you are viewing were not encrypted before being transmitted
over the Internet.

Information sent over the Internet without encryption can be seen by other
people while it is in transit.

---------------------------------------------------------------

Is this too harsh? I can't think of many valid, well-designed sites that are
only partially encrypted, but if there are such cases, we can add a bit about
how sometimes these sites are still trustworthy.

(I don't think we need a dialog, since there already is a "This page contains
some secure and some insecure items" popup IIRC which has a checkbox to make it
always go away)
Status: NEW → ASSIGNED
Comment on attachment 193865 [details] [diff] [review]
Patch implementing provided text

Thanks for the patch, Gavin. Looks good to my untrained eye, can we get a
review?
Attachment #193865 - Flags: review?(kaie.bugs)
Comment on attachment 193865 [details] [diff] [review]
Patch implementing provided text

> pageInfo_StrongEncryption=Connection Encrypted: High-grade Encryption (%S %S bit)
> pageInfo_Privacy_Strong1=The page you are viewing was encrypted before being transmitted over the Internet.
> pageInfo_Privacy_Strong2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
> pageInfo_WeakEncryption=Connection Encrypted: Low-grade Encryption (%S %S bit)
> pageInfo_Privacy_Weak1=The web site %S is using low-grade encryption for the page you are viewing.
> pageInfo_Privacy_Weak2=Low-grade encryption may allow some unauthorized people to view this information.
>+pageInfo_MixedContent=Connection Partially Encrypted
>+pageInfo_MixedContent_Detail=Parts of the page you are viewing were not encrypted before being transmitted over the Internet.
Nit: Looks as if pageInfo_Privacy_Mixed1 would be a more consistent name here.

>+        var isBroken = null;
Nit: Booleans are false, not null.

>           return {
>             hostName : hName,
>             cAName : issuerName,
>             encryptionAlgorithm : status.cipherName,
>             encryptionStrength : status.secretKeyLength,
>-            cert : cert
>+            cert : cert,
>+            isBroken : isBroken
>           };
Nit: isBroken belongs next to encryptionStrength
Attachment #193865 - Flags: superreview+
Flags: blocking1.8b4? → blocking1.8b4+
Attachment #193865 - Attachment is obsolete: true
Attachment #193950 - Flags: superreview+
Attachment #193950 - Flags: review?(kai.engert)
Comment on attachment 193950 [details] [diff] [review]
Patch with Neil's comments addressed

r=kaie
Attachment #193950 - Flags: review?(kai.engert) → review+
Trunk:
Checking in locales/en-US/chrome/pippki/pippki.properties;
/cvsroot/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties,v
 <--  pippki.properties
new revision: 1.3; previous revision: 1.2
done
Checking in pki/resources/content/PageInfoOverlay.xul;
/cvsroot/mozilla/security/manager/pki/resources/content/PageInfoOverlay.xul,v 
<--  PageInfoOverlay.xul
new revision: 1.21; previous revision: 1.20
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Attachment #193865 - Flags: review?(kaie.bugs)
Attachment #193950 - Flags: approval1.8b4?
Whiteboard: [sg:fix][l10n impact] → [sg:fix][l10n impact][needs approval]
Attachment #193950 - Flags: approval1.8b4? → approval1.8b4+
Whiteboard: [sg:fix][l10n impact][needs approval] → [sg:fix][l10n impact]
1.8 Branch:
mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties; new
revision: 1.2.6.1;
mozilla/security/manager/pki/resources/content/PageInfoOverlay.xul; new
revision: 1.20.20.1;
Keywords: fixed1.8
Whiteboard: [sg:fix][l10n impact] → [sg:nse][l10n impact]
*** Bug 260127 has been marked as a duplicate of this bug. ***
see bug 251123, which requests better user interface feedback, when hovering the lock icon
Assignee: beltzner → gavin.sharp
You need to log in before you can comment on or make changes to this bug.