SSL lock icon displayed on an unsecured page

VERIFIED DUPLICATE of bug 300613

Status

()

--
major
VERIFIED DUPLICATE of bug 300613
13 years ago
13 years ago

People

(Reporter: dionne, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 300613])

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

A particular sequence of operations can lead to a non-SSL web page being
displayed with a lock icon and the name of the (non-SSL) page next to it. 
Hovering over the lock area shows "Signed by XXX".
The sequence occured during testing - is not one that's likely to be reproduced
in normal browsing, but this type of link could be inserted in a page.

Reproducible: Always

Steps to Reproduce:
1. Navigate to any unsecured page, for instance www.mozilla.org
2. In the URL bar, type "https://{name of a Windows DC supporting LDAP over
SSL}:636"

Actual Results:  
- Bogus URL (for the DC) stays in the URL bar, highlighted as an SSL URL
- Lock icon and name of original site (www.mozilla.org) displayed at the bottom
of the page
- Hovering over the lock shows "signed by <signer of the DC's certificate>"
- Page content is unchanged
- No error or warning message

Expected Results:  
- No lock icon should be displayed
- ..or, the lock icon should be accompanied by an error page, or at least a
blank page (so the user is not fooled to think that the page is secure)

Comment 1

13 years ago
I can not look at this bug, because I do not have access to such a server to
connect to.
WFM with other types of secure servers (IMAP). Do you know a public SSL ldap
server you can point us at? I only know non-SSL ldap servers.
Whiteboard: [sg:needinfo]
I believe this is fixed in 1.5. If it is then 1.0.8 will get the fix I'm duping this bug to. If you're still seeing the problem then we need to dig deeper.

*** This bug has been marked as a duplicate of 300613 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:needinfo] → [sg:dupe 300613]
(Reporter)

Comment 4

13 years ago
(In reply to comment #3)
> I believe this is fixed in 1.5. If it is then 1.0.8 will get the fix I'm duping
> this bug to. If you're still seeing the problem then we need to dig deeper.

The behaviour described in the bug has not changed with 1.5 beta 2 - just tested it  again.  It does sound like the same bug as 300613 - the Windows DC is probably cutting off the connection and not sending any content.

Comment 5

13 years ago
Dionne,

the potential fix for this bug was added to Mozilla Firefox on 21 Oct. 

1.5 beta 2 did not yet contain the potential. Please use a version of Firefox that was produced after this date.

Could you please repeat your test with 1.5 RC 1?
If you still see the problem with Firefox software produced after 21 Oct, please reopen the bug.

If you can confirm the bug is gone, please mark the bug as verified. Thanks.
(Reporter)

Comment 6

13 years ago
Just tested with 1.5 RC1, and it looks like it's fixed.

- The displayed page is blank
- The lock icon is present
- The name of the SSL LDAP server appears next to the icon, and in the address bar (highlighted as SSL)

I will mark the bug as verified.

Thanks,
Marc
Status: RESOLVED → VERIFIED
Group: security
You need to log in before you can comment on or make changes to this bug.