Closed
Bug 399760
Opened 17 years ago
Closed 8 years ago
inconsistent error reporting for invalid-certificate errors
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jo.hermans, Unassigned)
References
()
Details
This is something what I found after bug 327181. I'm sure that some parts are reported in existing bug-reports, but they might be all over the place. However, I wanted to report it in a single report, because bug 327181 was all about improving the error-reporting. Comment 1 will contain a proposal.
<http://www.zerozero.pt/uk/estadio.php?id=951>
Problem 1 :
The page contains the image <https://secure.partypartners.com/images/marketing-materials/gamebookers/english/gif/120x60/50bonus/120x60_gif_generic_betnow_1.gif> that is loaded over HTTPS, but with an invalid certificate (ssl_error_bad_cert_domain). However, if you load the page, you don't see the error. It's not reported in the error-console either.
Now we can debate if an error for a single image should be reported with a dialog box or replacing the complete page or somewhere else (error console, icon ?), but the point is that it's currently not reported at all.
Problem 2 :
When I open Page Info for this page, I can the url in the Media tab. When I click on the url, I get the error-message in a dialog box. Yes, that's the old behavior. But if we're going to expand the error description in bug 398718 (more text, a view button, whatever), then we have to know that there's less room available in the dialog box, then on a separate page.
Problem 3 :
When the URL is displayed in a frame, for instance when it's returned by Google's image search in <http://images.google.be/imgres?imgurl=http://www.zerozero.pt/img/logos/equipas/5110_equipa.gif&imgrefurl=http://www.zerozero.pt/uk/estadio.php%3Fid%3D951&h=72&w=57&sz=3&hl=nl&start=194&sig2=Ty2nuvI2gqlCu3BVtWkCTg&um=1&tbnid=qEOdpdu8wSIseM:&tbnh=69&tbnw=55&ei=AooOR-38D4WQwAHN5sHRCQ&prev=/images%3Fq%3Dchiva%2Bmanizales%26start%3D180%26ndsp%3D20%26svnum%3D10%26um%3D1%26hl%3Dnl%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26sa%3DN>, then we see the dialog box too. This different from when we see the page directly !
Reporter | ||
Comment 1•17 years ago
|
||
Some errors are not reported at all (problem 1), probably because an image-load might not interrupt the display of a page. A dialog box is bad, but a full-page warning is worse.
But when the same error happens in a frame (problem 3), they're reported in a dialog box, which contradicts the previous observation.
I think that the error should always be reported, even if it's not visible on the screen (if someone is defending the solution in problem 1). Maybe in the error console ? Or maybe in a sheet or cliff-hanger ? This might also provide some links to view the certificate, or add an exception to allow the certificate anyway (I know, that's another bug).
At least, the behavior should be the same if the url is displayed directly, or embedded in a frame.
Comment 2•17 years ago
|
||
(In reply to comment #0)
> Problem 1 :
>
> The page contains the image
> <https://secure.partypartners.com/images/marketing-materials/gamebookers/english/gif/120x60/50bonus/120x60_gif_generic_betnow_1.gif>
> that is loaded over HTTPS, but with an invalid certificate
> (ssl_error_bad_cert_domain). However, if you load the page, you don't see the
> error. It's not reported in the error-console either.
> Now we can debate if an error for a single image should be reported with a
> dialog box or replacing the complete page or somewhere else (error console,
> icon ?), but the point is that it's currently not reported at all.
I agree this is bad.
It's a long time standing bug, see bug 135007, bug 62178.
Right now the backend code is missing the functionality to know whether an image was loaded over a secure connection or not.
I think the insecure image should be blocked by default (not loaded, not shown). This requires fixing of the above mentioned bugs.
I think this part of your bug report should be seen as a duplicate of bug 135007.
> Problem 2 :
> When I open Page Info for this page, I can the url in the Media tab. When I
> click on the url, I get the error-message in a dialog box. Yes, that's the old
> behavior.
The same is true for every context that can not do an error page, like mail connections in thunderbird.
> But if we're going to expand the error description in bug 398718
> (more text, a view button, whatever), then we have to know that there's less
> room available in the dialog box, then on a separate page.
Yes. That's one reason why I was hoping that our better explanations would be done in a separate help page. With that approach, both the "error page" and the "error dialog" could have a "help button" that opens the same detailed explanation.
Johnathan, maybe this example (get the short dialog even within Firefox) can make you interested in this idea?
> Problem 3 :
> When the URL is displayed in a frame, for instance when it's returned by
> Google's image search in
> <http://images.google.be/imgres?imgurl=http://www.zerozero.pt/img/logos/equipas/5110_equipa.gif&imgrefurl=http://www.zerozero.pt/uk/estadio.php%3Fid%3D951&h=72&w=57&sz=3&hl=nl&start=194&sig2=Ty2nuvI2gqlCu3BVtWkCTg&um=1&tbnid=qEOdpdu8wSIseM:&tbnh=69&tbnw=55&ei=AooOR-38D4WQwAHN5sHRCQ&prev=/images%3Fq%3Dchiva%2Bmanizales%26start%3D180%26ndsp%3D20%26svnum%3D10%26um%3D1%26hl%3Dnl%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26sa%3DN>,
> then we see the dialog box too. This different from when we see the page
> directly !
I'm afraid you are right here. Right now the core SSL code has trouble to detect all situations when using an error page would be possible.
This asks for an enhancement to the backend-to-SSL-layer interaction to make that information available more reliably.
I wrote a little bit about this in bug 370875 comment 6.
Comment 3•17 years ago
|
||
Regarding "Problem 3", I filed bug 399876
Comment 5•8 years ago
|
||
I don't think any dialogs are shown for certificate errors any longer - it's all the in-content error page or the broken image icon or whatever.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•