Closed
Bug 415857
Opened 16 years ago
Closed 14 years ago
Secure indicators remain even when plain HTTP redirects occurred
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 418354
People
(Reporter: James.H.Manger, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre The Firefox secure site indicators (padlock, yellow background in address bar) are shown even when getting some of the content for the page (eg images, stylesheets, javascript) involved non-https connections. Generally, an HTTPS page that gets some content via HTTP will cause the "mixed content" indicators (broken padlock, white background in address bar, optional security warning). However, if the HTTP redirects to an HTTPS page the secure indicators are shown instead. This is incorrect (dangerously misleading). The HTTP link gives an active attacker the opportunity to redirect Firefox to any content of the attacker's choosing. It has to be HTTPS to keep the security indicators, but the domain name can be anything. It does not have to be a link explicitly mentioned by the original HTTPS web page, or any site that page delegated securely to. Reproducible: Always Steps to Reproduce: 1. On an HTTPS page, include an HTTP link (for an image, javascript, or stylesheet) that redirects to HTTPS. 2. Visit the HTTPS page. 3. Notice the security indicators that Firefox displays. The bug can be seen in action at: https://sampletelco.info/bug/ Note: this sites (and the one the redirects go to) use certificates from a non-standard (demo) Certification Authority (CA) so you will get "untrusted certificate" warnings that are unrelated to this bug. Actual Results: Firefox indicates that the site is secure (padlock, yellow address bar background). Expected Results: Firefox should treat the site the same as one that mixes HTTPS and HTTP content (broken padlock, white address bar background, optional security warning).
Summary: Secure indicators remain even when plain HTTP redirects occured → Secure indicators remain even when plain HTTP redirects occurred
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE. Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•