Closed Bug 320851 Opened 15 years ago Closed 15 years ago
http authentication (401) prompt no longer displays scheme
In news://news.mozilla.org:119/cBDmf.30117$dO2.email@example.com Jack <firstname.lastname@example.org> wrote: > When I got the popup window due to 401 in 1.0.x, it used to indicate whether > it was http versus https. 1.5 does not seem to indicate this as 1.0.x did. > This is a problem because one can't tell whether redirection occured or not > and so one can't be sure that one is sending the user name and password over > a secure channel. > Is there a settings to enable display of the protocol (http v. https) as well? I think this is a legitimate concern. If there is no way to determine http/https, I think that is a security regression.
Confirmed. Looks like it was removed as part of bug 85484, without anyone noticing. http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=nsHttpChannel.cpp&branch=1.214&root=/cvsroot&subdir=mozilla/netwerk/protocol/http/src&command=DIFF_FRAMESET&rev1=1.213&rev2=1.214
Assignee: nobody → darin
Status: UNCONFIRMED → NEW
Component: General → Networking: HTTP
Ever confirmed: true
OS: Linux → All
Product: Firefox → Core
QA Contact: general → networking.http
Hardware: PC → All
Version: 1.5 Branch → 1.8 Branch
Summary: 401 user authentication dialog does not indicate protocol in 1.5 → http authentication (401) prompt no longer displays scheme
Whiteboard: [sg:spoof] Allows MITM to spoof https prompt → [sg:spoof] Allows MITM to spoof https password prompt
Boris, Darin, if either of you want to r/sr, that'd be great.
Might be a good candidate for 220.127.116.11, patch is simple.
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 207489 [details] [diff] [review] patch It might be good to incorporate the assignment of |text| into the same conditional, so you aren't testing |proxyAuth| twice. Also, please note that indentation in this file is four whitespaces.
Attachment #207489 - Flags: superreview?(darin) → superreview-
need trunk-baked patch for branch
Comment on attachment 207500 [details] [diff] [review] patch v2 r+sr=darin
Checked in on the trunk. mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.265;
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Comment on attachment 207500 [details] [diff] [review] patch v2 a=darin
Attachment #207500 - Flags: branch-1.8.1?(darin) → branch-1.8.1+
Checked in on the 1.8 branch. mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.256.2.6;
Comment on attachment 207500 [details] [diff] [review] patch v2 approving for 1.8.0 branch, a=dveditz for drivers
Attachment #207500 - Flags: approval18.104.22.168? → approval22.214.171.124+
Checked in on the 1.8.0 branch. mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.2126.96.36.199.1;
Whiteboard: [sg:spoof] Allows MITM to spoof https password prompt → [sg:spoof] Allows MITM to spoof https password prompt [rft-dl]
http://gavinsharp.com/secret can be used to test this.
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20060308 Firefox/184.108.40.206, auth prompt for gavin's page shows the scheme + host.
You need to log in before you can comment on or make changes to this bug.