Closed
Bug 405145
Opened 17 years ago
Closed 17 years ago
Mixed SSL/non-SSL content reporting inconsistent between standard and EV Certs
Categories
(Core Graveyard :: Security: UI, defect, P2)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wgianopoulos, Assigned: wgianopoulos)
References
Details
Attachments
(1 file)
1002 bytes,
patch
|
KaiE
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
If you visit an https site that presents a non-EV Certificate that has mixed SSL and non-SSL content on the page, Larry gives the same indications as if the site had no certificate and was not encrypted at all.
If you do the same on a website that presents an EV Certificate, you get the Identity Verified green checkmark plus the text stating that the site is encrypted to prevent eavesdropping. This behavior is not terribly consistent.
In my opinion, both results are incorrect. I don't think the mix of SSL and non-SSL content should really change the display relative to the site identity. After all, that really only refers to the identity of the site mentioned in the URL. As far as I know, in the it is all SSL case, that is all that is checked for, that it is all SSL. It matters not if all the content comes from the same server, uses the same certificate or comes from the same domain, just hat it is all encrypted. So, as ling as the Identity indicator does not say all the content comes from these people as identified by this certificate, as far as the Identity part goes whether or on it is all encrypted is immaterial.
As far as the mixed content goes, I thing the text at the bottom about encryption needs to be altered to say something to the effect that not all the content is encrypted.
Flags: blocking-firefox3?
Updated•17 years ago
|
Assignee: nobody → johnath
Flags: blocking-firefox3? → blocking-firefox3+
Priority: -- → P2
Comment 1•17 years ago
|
||
In the case where the site is mixing SSL content with non-SSL content, whether
the SSL is EV or not, the identity really should be presented as unconfirmed.
Asserting the identity of the page implies that what you are seeing is what the
site intended you to see, but if there are non-SSL parts to that content, then
they can be altered undetectably, so we can no longer say "yes, this is paypal,
and you can make decisions about this site based on your trust relationship
with paypal" since parts of it could be from non-paypal sources.
Now, if SSL-verified paypal.com links to other sites using SSL connections, if
they have image hosting off-site for instance, we can still confidently assert
paypal's identity as the top level site, since we can confirm the identity and
integrity of the base page, and of all the content. But in any event, there
shouldn't be a difference in this behaviour between EV and SSL. Either we can
confirm the content or we can't.
There are several bugs already on breakages in our mixed content detection, but
this is the first I've heard of EV and SSL getting different treatments.
Moving to PSM, since (unless there's a bug there that I'm not aware of) Firefox
just reflects the security state as sent from PSM.
Assignee: johnath → kengert
Component: General → Security: UI
Flags: blocking-firefox3+
Product: Firefox → Core
QA Contact: general → ui
Assignee | ||
Comment 2•17 years ago
|
||
OK. Unfortunately the only testcase I have for this is not with a Versign certificate.
The site is https://getbids.com/ which uses a Comodo EV certificate, so in order to see the issue you need to add the following to nsIdentityChecking.cpp:
{
"1.3.6.1.4.1.6449.1.2.1.5.1",
"Comodo EV OID",
SEC_OID_UNKNOWN,
"CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US",
"CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US",
"04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7"
},
Assignee | ||
Comment 3•17 years ago
|
||
(In reply to comment #1)
> Moving to PSM, since (unless there's a bug there that I'm not aware of) Firefox
> just reflects the security state as sent from PSM.
>
Well, I am beginning to think this has to be a Firefox bug, as the padlock in the status bar as well as pageinfo show the correct information. It is just Larry that does not.
Assignee | ||
Comment 4•17 years ago
|
||
Although I suppose the code here:
http://lxr.mozilla.org/seamonkey/source/security/manager/boot/src/nsSecureBrowserUIImpl.cpp#1153
could be modified to only set STATE_IDENTITY_EV_TOPLEVEL if STATE_IS_SECURE is already set.
Assignee | ||
Comment 5•17 years ago
|
||
This resolves the issue for me.
Assignee: kengert → wgianopoulos
Status: NEW → ASSIGNED
Assignee | ||
Updated•17 years ago
|
Attachment #289973 -
Flags: review?(rrelyea)
Assignee | ||
Comment 6•17 years ago
|
||
This alters the EV cert case to work identically to the way the non-EV cert case currently does.
Comment 7•17 years ago
|
||
Comment on attachment 289973 [details] [diff] [review]
Patch v1
I think this makes a lot of sense. Thanks.
Attachment #289973 -
Flags: review?(rrelyea)
Attachment #289973 -
Flags: review+
Attachment #289973 -
Flags: approval1.9?
Updated•17 years ago
|
Attachment #289973 -
Flags: approval1.9? → approval1.9+
Updated•17 years ago
|
Keywords: checkin-needed
Updated•17 years ago
|
Attachment #289973 -
Attachment description: like this? → Patch v1
Comment 8•17 years ago
|
||
Fixed as part of check in for bug 402574.
Bill, thanks a lot for your help!
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•