User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050406 Firefox/1.0.2 Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050406 Firefox/1.0.2 This looks like #231720 but done with HTTPS. If any domain is mistyped with https the redirect goes to Paypal. This breaches the security model of HTTPS; the browser should not make any adjustments arbitrarily to the URL typed in to URL bar, and should in some way show that a redirect has happened if HTTPS is involved and certificates are being expected to be checked. https::/blahblah.com/ Or any other correct domain in an invalid URL. As it was discovered by payments people (Gordon Katz of KatzGlobal.com), and as everyone in that world is panicing about phishing, I think this could be major. It currently it appears mostly embarrassing rather than exploitable. I can't quite see how to exploit it but phishers are more persistent than I. At the minimum, the google "I'm feeling lucky" feature ... if that is what it is ... should be turned off for https. Actually, I'd rather the Lucky feature should be turned off altogether or made into a separate thing like lucky:"search string" as until the UI is improved (a la Gervase, HJ/, trustbar) to do user-engaged security, there is way too much emphasis on that URL bar to be worthy of confidence so any "tricks" should be kept to a minimum. Reproducible: Always Steps to Reproduce: 1. type in https::/some domain/ 2. hit return 3. see Paypal.com, connected with https Actual Results: Get silently redirected to http://Paypal.com/ Expected Results: Indicated that the URL was invalid and that the user should examine it and fix the typing. This is a security bug. It doesn't need to be kept confidential.
It is "I'm feeling lucky", I think. If you turn it off, FF guess www.https.com instead, which does exist, so you end up there.
It surely is bug 231720. If you search for https, www.paypal.com is the first entry. Microsoft.com is the one for http. *** This bug has been marked as a duplicate of 231720 ***
So, I can see this has been made a duplicate of the basic bug. Does this mean that this bug has now been "resolved" and there is no longer a security issue? (The reason that I filed another bug was that #231720 is marked as trivial, which does not recognise the potential security ramifications.)
*** Bug 289800 has been marked as a duplicate of this bug. ***
If you type odd things into the URL bar, it might take you to odd places. That the security was set to 'trivial' has nothing to do with security. That was because the original bug was supposed to be trivial to solve. Bug 233541 wanted to disable the whole 'I feel lucky search', but was WONTFIXed. Bug 275957 wants to have an info-bar to wqrn the user (like for popups). Bug 263213 seems the best soltion for what you want.