Closed
Bug 322407
Opened 19 years ago
Closed 19 years ago
Unknown Authority dialog doesn't remember "do not accept..." option
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 236675
People
(Reporter: martin.thomson, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 The dialog entitled "Website Certified by Unknown Authority" does not allow an option to not accept the certificate in a way that the dialog cannot be triggered again. Therefore, if a site is not trusted and the user selects the "Do no accept..." option, if the site is contacted again, the dialog will be shown again. This is a problem because the dialog is modal - it blocks access to all of the browsers functions until an answer is chosen. Therefore, a malicious site could request that the browser download a document from a host repetitively, causing the dialog to be displayed over and over. A user is given very little opportunity to stop this happening. There are several ways in which this could be done, frames and javascript spring to mind. This gives a user only two options: terminate their browser and lose their session information, or accept the certificate. I suspect that many an average user will be easily bullied, not understanding the implications of accepting a dodgy certificate. Reproducible: Always Steps to Reproduce: 1. Contact https://cb.msn.com/ for a demonstration. I am forced to download several documents from this site when I re-login for hotmail. Actual Results: The "Website Certified by Unknown Authority" is modal and does not remember the choice to deny a particular certificate. Expected Results: 1. The dialog is related to a particular tab of the browser. Ideally (heh) the dialog would block the loading of only that tab. I don't mind if the entire tab content is locked so that a single frame can be checked, but the dialog should not prevent actions like closing the tab or hitting the stop button. Like the new (and great) error pages, this message could be constrained to affected tab only. 2. The dialog should allow an option to block the site, either permanently, or for the rest of the current browsing session.
Comment 1•19 years ago
|
||
*** This bug has been marked as a duplicate of 236675 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: Security → Security: UI
Product: Firefox → Core
Resolution: --- → DUPLICATE
Version: unspecified → Trunk
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•