Note: There are a few cases of duplicates in user autocompletion which are being worked on.

http authentication (401) prompt no longer displays scheme

RESOLVED FIXED in mozilla1.8.1

Status

()

Core
Networking: HTTP
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Gavin)

Tracking

({fixed1.8.1, regression, verified1.8.0.2})

1.8 Branch
mozilla1.8.1
fixed1.8.1, regression, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.1 -
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:spoof] Allows MITM to spoof https password prompt [rft-dl], URL)

Attachments

(1 attachment, 1 obsolete attachment)

In news://news.mozilla.org:119/cBDmf.30117$dO2.2607@newssvr29.news.prodigy.net
Jack <jhammer.noemail@yahoo.com> wrote:

> When I got the popup window due to 401 in 1.0.x, it used to indicate whether 
> it was http versus https.  1.5 does not seem to indicate this as 1.0.x did.

> This is a problem because one can't tell whether redirection occured or not 
> and so one can't be sure that one is sending the user name and password over 
> a secure channel.

> Is there a settings to enable display of the protocol (http v. https) as well?

I think this is a legitimate concern.  If there is no way to determine http/https, I think that is a security regression.

Comment 1

12 years ago
see bug 301208 and http://wiki.mozilla.org/Firefox:1.5_Network_Error_Messages
Confirmed. Looks like it was removed as part of bug 85484, without anyone noticing.

http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=nsHttpChannel.cpp&branch=1.214&root=/cvsroot&subdir=mozilla/netwerk/protocol/http/src&command=DIFF_FRAMESET&rev1=1.213&rev2=1.214
Assignee: nobody → darin
Status: UNCONFIRMED → NEW
Component: General → Networking: HTTP
Ever confirmed: true
OS: Linux → All
Product: Firefox → Core
QA Contact: general → networking.http
Hardware: PC → All
Version: 1.5 Branch → 1.8 Branch
Blocks: 85484
Summary: 401 user authentication dialog does not indicate protocol in 1.5 → http authentication (401) prompt no longer displays scheme
Keywords: regression

Updated

12 years ago
Whiteboard: [sg:spoof] Allows MITM to spoof https prompt

Updated

12 years ago
Whiteboard: [sg:spoof] Allows MITM to spoof https prompt → [sg:spoof] Allows MITM to spoof https password prompt
Created attachment 207489 [details] [diff] [review]
patch

Boris, Darin, if either of you want to r/sr, that'd be great.
Assignee: darin → gavin.sharp
Status: NEW → ASSIGNED
Attachment #207489 - Flags: superreview?(darin)
Attachment #207489 - Flags: review?(bzbarsky)
Might be a good candidate for 1.8.0.1, patch is simple.
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Target Milestone: --- → mozilla1.9alpha

Comment 5

12 years ago
Comment on attachment 207489 [details] [diff] [review]
patch

It might be good to incorporate the assignment of |text| into the same conditional, so you aren't testing |proxyAuth| twice.

Also, please note that indentation in this file is four whitespaces.
Attachment #207489 - Flags: superreview?(darin) → superreview-
Created attachment 207500 [details] [diff] [review]
patch v2

Comments addressed.
Attachment #207489 - Attachment is obsolete: true
Attachment #207500 - Flags: superreview?(darin)
Attachment #207500 - Flags: review?(darin)
Attachment #207489 - Flags: review?(bzbarsky)
need trunk-baked patch for branch
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-

Comment 8

12 years ago
Comment on attachment 207500 [details] [diff] [review]
patch v2

r+sr=darin
Attachment #207500 - Flags: superreview?(darin)
Attachment #207500 - Flags: superreview+
Attachment #207500 - Flags: review?(darin)
Attachment #207500 - Flags: review+
Checked in on the trunk.
mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.265;
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Attachment #207500 - Flags: branch-1.8.1?(darin)
Attachment #207500 - Flags: approval1.8.0.2?

Comment 10

12 years ago
Comment on attachment 207500 [details] [diff] [review]
patch v2

a=darin
Attachment #207500 - Flags: branch-1.8.1?(darin) → branch-1.8.1+
Checked in on the 1.8 branch.
mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.256.2.6;
Flags: blocking1.8.1?
Keywords: fixed1.8.1
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Comment on attachment 207500 [details] [diff] [review]
patch v2

approving for 1.8.0 branch, a=dveditz for drivers
Attachment #207500 - Flags: approval1.8.0.2? → approval1.8.0.2+
Checked in on the 1.8.0 branch.
mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.256.2.4.2.1;
Keywords: fixed1.8.0.2

Updated

12 years ago
Whiteboard: [sg:spoof] Allows MITM to spoof https password prompt → [sg:spoof] Allows MITM to spoof https password prompt [rft-dl]
http://gavinsharp.com/secret can be used to test this.

Comment 15

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2, auth prompt for gavin's page shows the scheme + host.
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in before you can comment on or make changes to this bug.