Closed Bug 322407 Opened 19 years ago Closed 19 years ago

Unknown Authority dialog doesn't remember "do not accept..." option

Categories

(Core Graveyard :: Security: UI, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 236675

People

(Reporter: martin.thomson, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

The dialog entitled "Website Certified by Unknown Authority" does not allow an option to not accept the certificate in a way that the dialog cannot be triggered again.  Therefore, if a site is not trusted and the user selects the "Do no accept..." option, if the site is contacted again, the dialog will be shown again.

This is a problem because the dialog is modal - it blocks access to all of the browsers functions until an answer is chosen.  Therefore, a malicious site could request that the browser download a document from a host repetitively, causing the dialog to be displayed over and over.  A user is given very little opportunity to stop this happening.  

There are several ways in which this could be done, frames and javascript spring to mind.

This gives a user only two options: terminate their browser and lose their session information, or accept the certificate.  I suspect that many an average user will be easily bullied, not understanding the implications of accepting a dodgy certificate.

Reproducible: Always

Steps to Reproduce:
1. Contact https://cb.msn.com/ for a demonstration.

I am forced to download several documents from this site when I re-login for hotmail.
Actual Results:  
The "Website Certified by Unknown Authority" is modal and does not remember the choice to deny a particular certificate.

Expected Results:  
1. The dialog is related to a particular tab of the browser.  Ideally (heh) the dialog would block the loading of only that tab.  I don't mind if the entire tab content is locked so that a single frame can be checked, but the dialog should not prevent actions like closing the tab or hitting the stop button.  Like the new (and great) error pages, this message could be constrained to affected tab only.

2. The dialog should allow an option to block the site, either permanently, or for the rest of the current browsing session.

*** This bug has been marked as a duplicate of 236675 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: Security → Security: UI
Product: Firefox → Core
Resolution: --- → DUPLICATE
Version: unspecified → Trunk
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.