Closed Bug 284551 Opened 18 years ago Closed 18 years ago

SSL spoofing vulnerability: status bar disappears in small windows; popups can spoof the SSL lock.

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

1.7 Branch
defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: mozilla, Assigned: dveditz)

References

()

Details

(Keywords: fixed-aviary1.0.2, fixed1.7.6, Whiteboard: [sg:fix] fixed on trunk)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

When a window is less than 128 pixels high, the status bar is hidden.
This is bad because the status bar contains critical security information.
This is especially bad because Javascript can open popup windows small
enough to hide the status bar, and spoof the SSL security indicator in
the status bar.  See http://zesty.ca/popup/ for an example.

Javascript can also prevent the user from resizing the window or from
seeing the menu bar, so there is really no way to get the status bar back.

(This is also inconvenient because the horizontal scrollbar disappears
in the same way.)

The best and most straightforward solution is to ensure that the status
bar is always visible.

Reproducible: Always

Steps to Reproduce:
1. Open a new Firefox window (Ctrl-N).
2. Ensure that the status bar is turned on (View -> Status Bar).
3. Grab the lower edge of the window and shrink it vertically.
Actual Results:  
When the window height is reduced beyond a certain point (128 pixels), the
status bar will disappear (it will refuse to move up any further).

Expected Results:  
The status bar should not disappear.  It should always occupy the lowest 20 or
so pixels of the window height.

(Also, if the menu bar and status bar happen to be turned off, there should be a
way for the user to turn them back on.)
The status bar shouldn't disappear, confirming. It's not a perfect spoof because
as of Firefox 1.0.1 the site appears in the title bar, but people are likely to
be misled by the fake status bar all the same.

The Suite has a similar issue, but instead of having a fixed content height of
~128px it looks like ~122px.
Severity: major → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.2?
Whiteboard: [sg:fix]
Doh! I've got windows diverted into tabs ;-)
The problem was fixed on the trunk - bug 217477 - to fix the mail status bar!
Flags: blocking-aviary1.0.2?
Marking blocking 1.0.2, otherwise this one seems to keep getting forgotten. I'd
rather have drivers explicitly minus than forget to plus.

This bug originated as a public thread on n.m.p.security, the confidential flag
is somewhat pointless at this point.
Group: security
Flags: blocking-aviary1.0.2? → blocking-aviary1.0.2+
Whiteboard: [sg:fix] → [sg:fix] fixed on trunk
Is this an issue for seamonkey too?
Yes seamonkey has a similar issue, see comment 1

Moving to Core so we can set the right flags. Besides the fix is in layout as
Neil pointed out.
Assignee: firefox → nobody
Component: General → Layout: HTML Frames
Product: Firefox → Core
QA Contact: general → layout.html-frames
Version: unspecified → 1.7 Branch
Neil's patch from bug 217477 (updated to branch line numbers). Copied here for
branch-checkin approval bookkeeping.
Attachment #177462 - Flags: approval1.7.6?
Attachment #177462 - Flags: approval-aviary1.0.2?
Flags: blocking1.7.6+
Comment on attachment 177462 [details] [diff] [review]
Neil's patch from bug 217477, r=roc, sr=jst

a=asa
Attachment #177462 - Flags: approval1.7.6?
Attachment #177462 - Flags: approval1.7.6+
Attachment #177462 - Flags: approval-aviary1.0.2?
Attachment #177462 - Flags: approval-aviary1.0.2+
Assignee: nobody → dveditz
Fix checked in to 1.7 and aviary-1.0.1 branches. Trunk was already fixed (bug
217477).
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.3?
testing on linux fc3, the test case now displays the status bar, so looks fixed
to me. tested with 2005031707-1.0.2 firefox and 2005031710-1.7.6 mozilla builds.
Status bar is displaying with unsecure icon on Mac Fx 1.0.2 and Moz 1.7.6. Also
looks good on Windows 1.7.6
Status: RESOLVED → VERIFIED
(In reply to comment #10)
> Status bar is displaying with unsecure icon on Mac Fx 1.0.2 and Moz 1.7.6. Also
> looks good on Windows 1.7.6

Thank you for addressing this bug so quickly.  Way to go!
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.