Closed Bug 415857 Opened 13 years ago Closed 10 years ago

Secure indicators remain even when plain HTTP redirects occurred

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 418354

People

(Reporter: James.H.Manger, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008020504 Minefield/3.0b4pre

The Firefox secure site indicators (padlock, yellow background in address bar) are shown even when getting some of the content for the page (eg images, stylesheets, javascript) involved non-https connections.

Generally, an HTTPS page that gets some content via HTTP will cause the "mixed content" indicators (broken padlock, white background in address bar, optional security warning). However, if the HTTP redirects to an HTTPS page the secure indicators are shown instead.

This is incorrect (dangerously misleading).

The HTTP link gives an active attacker the opportunity to redirect Firefox to any content of the attacker's choosing. It has to be HTTPS to keep the security indicators, but the domain name can be anything. It does not have to be a link explicitly mentioned by the original HTTPS web page, or any site that page delegated securely to.

Reproducible: Always

Steps to Reproduce:
1. On an HTTPS page, include an HTTP link (for an image, javascript, or stylesheet) that redirects to HTTPS.
2. Visit the HTTPS page.
3. Notice the security indicators that Firefox displays.

The bug can be seen in action at:
  https://sampletelco.info/bug/
Note: this sites (and the one the redirects go to) use certificates from
a non-standard (demo) Certification Authority (CA) so you will get
"untrusted certificate" warnings that are unrelated to this bug.
Actual Results:  
Firefox indicates that the site is secure (padlock, yellow address bar background).

Expected Results:  
Firefox should treat the site the same as one that mixes HTTPS and HTTP content (broken padlock, white address bar background, optional security warning).
Summary: Secure indicators remain even when plain HTTP redirects occured → Secure indicators remain even when plain HTTP redirects occurred
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Resolution: INCOMPLETE → DUPLICATE
Duplicate of bug: 418354
You need to log in before you can comment on or make changes to this bug.