Closed Bug 385172 Opened 18 years ago Closed 14 years ago

[RFE] Option to intelligently ignore sites with mixed encrypted and unencrypted content

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: robrwo, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty) When one visits a site with mixed encrypted and unencrypted content (e.g. an https login page that links to images using the http protocol), one gets a warning. Firefox gives an option to disable these warnings, but that may not be the smartest thing to do. Warnings should be more sophisticated. There should be options so that (1) If I visit a site regularly, I want to disable the warnings for that site. (2) If the unencrypted content is multimedia (images) or frames, then it's probably not as threatening, so I want to disable these warnings to. Reproducible: Always
I believe the plan is to just not load the http parts, and display a message in the Error Console indicating that the http parts were not loaded.
(In reply to comment #1) > I believe the plan is to just not load the http parts, and display a message in > the Error Console indicating that the http parts were not loaded. That's worse than not giving a warning. It reduces the functionality of a site by not loading and rendering some parts. There's very good reasons to have mixed encrypted and unencrypted content on a page: why should I waste bandwidth and CPU cycles to load images from https://images.example.com? It contributes nothing to the security of the page. I only do that because (less sophisticated) users are getting warning messages form their web browsers, and they think of that as a flaw of the website. Yes, in theory the URL of embedded content can contain information that should be encrypted, and conscientious developers should be aware of that, but for most of the time, this is a useless message. It doesn't give the user an option to view a list of the URLs being requested or other information. One can only say yes or no. (That is likely a separate feature request.)
I disagree. In a MITM attack, an attacker can screw with your site quite a bit just by replacing images.
(In reply to comment #3) > I disagree. In a MITM attack, an attacker can screw with your site quite a bit > just by replacing images. MITM attacks against images won't be universally effective: yes, an attacker could mess with images, but in many cases, there's very little useful things he could do besides "screw with your site". He can't change links to the page or get information you submitted. And if he is capable of inserting himself into your connection to mess with unencrypted content, why not just pretend to be the secured site anyway? (Not many users will be able to tell that this is a different certificate, and I'm not sure that the certification authorities are competent enough not to be conned into signing a fake cert: it's happened before.) I am suggesting that the user have an *option* for this. So if, for example, a user trusts bugzilla.mozilla.org, that user should be able to configure Firefox to not warn about an encrypted page from that site to include unencrypted images from that domain. Warnings for untrusted sites will continue as normal. The current situation is that one can be warned for everything, or turn warnings off for everything. If one regularly visits a site that has mixed content, then the warning gets annoying. One either shuts it off globally (which is more dangerous), or one puts up with an annoying and useless error message. It's better to enable to user to turn it off for some sites.
> yes, an attacker could mess with images, but in many cases, there's very > little useful things he could do besides "screw with your site". The MITM attacker could easily replace your logo image with an image that looks like text. The text might say something like "This site has moved. Please go to https://foo.bar.org/ instead." > And if he is capable of inserting himself into your connection to mess with > unencrypted content, why not just pretend to be the secured site anyway? Because a decent browser (such as Firefox 3) will stop the connection instead of putting up a certificate-mismatch dialog that users will click through without understanding.
(In reply to comment #5) > The MITM attacker could easily replace your logo image with an image that looks > like text. The text might say something like "This site has moved. Please go > to https://foo.bar.org/ instead." Not everyone would be fooled by that, and many would even find it suspicious that an image tells you to visit somewhere but there is no link or highlightable text, the page does not automatically redirect you, but there is still the usual login. And how is giving the option to turn off *all* warnings somehow better than an option to turn off warnings for selected sites? > > And if he is capable of inserting himself into your connection to mess with > > unencrypted content, why not just pretend to be the secured site anyway? > > Because a decent browser (such as Firefox 3) will stop the connection instead > of putting up a certificate-mismatch dialog that users will click through > without understanding. Assuming there is a certificate mismatch. You have to trust that CAs won't sign certs for fraudsters. Anyhow, you are not addressing the point of this feature request: for an *option* for the browser to not warn about mixed content from specific sites, rather than the current setup which gives one the option to disable the warning globally.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE. Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.