Closed Bug 301757 Opened 19 years ago Closed 19 years ago

SSL lock icon displayed on an unsecured page

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 300613

People

(Reporter: dionne, Unassigned)

Details

(Whiteboard: [sg:dupe 300613]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

A particular sequence of operations can lead to a non-SSL web page being
displayed with a lock icon and the name of the (non-SSL) page next to it. 
Hovering over the lock area shows "Signed by XXX".
The sequence occured during testing - is not one that's likely to be reproduced
in normal browsing, but this type of link could be inserted in a page.

Reproducible: Always

Steps to Reproduce:
1. Navigate to any unsecured page, for instance www.mozilla.org
2. In the URL bar, type "https://{name of a Windows DC supporting LDAP over
SSL}:636"

Actual Results:  
- Bogus URL (for the DC) stays in the URL bar, highlighted as an SSL URL
- Lock icon and name of original site (www.mozilla.org) displayed at the bottom
of the page
- Hovering over the lock shows "signed by <signer of the DC's certificate>"
- Page content is unchanged
- No error or warning message

Expected Results:  
- No lock icon should be displayed
- ..or, the lock icon should be accompanied by an error page, or at least a
blank page (so the user is not fooled to think that the page is secure)
I can not look at this bug, because I do not have access to such a server to
connect to.

WFM with other types of secure servers (IMAP). Do you know a public SSL ldap
server you can point us at? I only know non-SSL ldap servers.
Whiteboard: [sg:needinfo]
I believe this is fixed in 1.5. If it is then 1.0.8 will get the fix I'm duping this bug to. If you're still seeing the problem then we need to dig deeper.

*** This bug has been marked as a duplicate of 300613 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:needinfo] → [sg:dupe 300613]
(In reply to comment #3)
> I believe this is fixed in 1.5. If it is then 1.0.8 will get the fix I'm duping
> this bug to. If you're still seeing the problem then we need to dig deeper.

The behaviour described in the bug has not changed with 1.5 beta 2 - just tested it  again.  It does sound like the same bug as 300613 - the Windows DC is probably cutting off the connection and not sending any content.
Dionne,

the potential fix for this bug was added to Mozilla Firefox on 21 Oct. 

1.5 beta 2 did not yet contain the potential. Please use a version of Firefox that was produced after this date.

Could you please repeat your test with 1.5 RC 1?
If you still see the problem with Firefox software produced after 21 Oct, please reopen the bug.

If you can confirm the bug is gone, please mark the bug as verified. Thanks.

Just tested with 1.5 RC1, and it looks like it's fixed.

- The displayed page is blank
- The lock icon is present
- The name of the SSL LDAP server appears next to the icon, and in the address bar (highlighted as SSL)

I will mark the bug as verified.

Thanks,
Marc
Status: RESOLVED → VERIFIED
Group: security
You need to log in before you can comment on or make changes to this bug.