Last Comment Bug 403591 - Mixed content explanations misleading
: Mixed content explanations misleading
Status: NEW
: uiwanted
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
-- normal with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on:
  Show dependency treegraph
Reported: 2007-11-13 00:35 PST by Adam Barth
Modified: 2015-03-17 06:40 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Proposed changes to explanations. (3.45 KB, patch)
2007-11-13 00:38 PST, Adam Barth
no flags Details | Diff | Splinter Review

Description User image Adam Barth 2007-11-13 00:35:58 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071025 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071025 Firefox/

The descriptions of mixed content in the Firefox user interface are misleading.  The current explanations emphasize the confidentiality but do not mention integrity even though integrity is essential to the security of the browsing session.

By not explaining the threat correctly, the browser is mis-educating site developers and encouraging them to continue building insecure sites.  In particular, it is not clear why embedding an http script in an https page is dangerous.

Reproducible: Always

Steps to Reproduce:
1) Navigate to <>.
2) Click on Larry.
3) Click on learn more, etc.
Actual Results:  
The text describes confidentiality only---ignoring integrity.

Expected Results:  
The text should consider that an attacker might modify the content as it travels over the network.
Comment 1 User image Adam Barth 2007-11-13 00:38:00 PST
Created attachment 288460 [details] [diff] [review]
Proposed changes to explanations.

Attached are our proposed changes to the explanations.

Note You need to log in before you can comment on or make changes to this bug.