349208 - Secure icon shown on pages with insecure content

Status: RESOLVED DUPLICATE of bug 349209

(Core :: Security, defect)

Description

[David Miller]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060818 BonEcho/2.0b2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060818 BonEcho/2.0b2

The secure-site icon is appearing for websites and can be "bypassed" if necessary as well.  If you navigate to the website in my URL field you can login 

Reproducible: Always

Steps to Reproduce:
1. navigate to the website in the URL field
2. login
3. refresh the page, then head to http://webmail.optonline.net again (make sure cookies are enabled "save session" is ticked off when you log into the website)

Actual Results:  
upon refresh/login the site will display a secure logo instead.

Expected Results:  
The secure site icon should be consistent with what is discovered by the browser.  It should not change it's mind after refreshing the mail page itself.  If it is true that the mail-server itself has a secure certificate, then the browser should have loaded the new certificate anyways and the icon should be adopted the new secure appearance.

If someone cannot be found who does not have an account with Optimum Online, I'll be more than happy to provide you with an e-mail address so that it can be tested out.

I have marked this as a security problem for only one reason.  I do not know much about the inner-workings of FireFox on this end and as such, I do not know how this type of problem might/might-not be used against someone.

Thanks to Dave Townsend for helping me write this long winded bug report :-)

Comment 1

[Dave Townsend [:mossop]]

*** This bug has been marked as a duplicate of 349209 ***