418040 - site loses verified identity after redirect

Status: RESOLVED INVALID

(Core Graveyard :: Security: UI, defect)

Description

[skierpage]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021607 Minefield/3.0b4pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021607 Minefield/3.0b4pre

In the explanation of Extended Validation (EV) SSL certificates in the release notes for FF3b3, The _Try it here!_ link goes to 
https://www.britishairways.com/
This is indeed green with more information, but after it redirects to https://www.britishairways.com/travel/home/public/en_us , the green certificate goes away.

Reproducible: Always

Steps to Reproduce:
1.  Go to https://www.britishairways.com/
2.  Wait until it redirects
Actual Results:  
The initial URL has the green section and clicking its "favicon" displays more info about britishairways.com.

But when it redirects I get a white URL, and "you are connected to an unverified site".

This happens even though for me, the redirect is to https://www.britishairways.com/travel/home/public/en_us , on the same apparent site.

If I paste the new URL into the location bar, it appears green with verification.

Expected Results:  
The green verified state shouldn't be lost.

It could be just a quirk of britishairways.com, I haven't found a similar situation on another secure site to try.  (FWIW charlesschwab.com's redirect for error pages doesn't lose its "green-ness".)

Comment 1

[Steve England [:stevee]]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021722 Minefield/3.0b4pre ID:2008021722
I see this too, but I see it with Opera 9.26 as well.

Comment 2

[Johnathan Nightingale [:johnath]]

Moving to Core->Security:UI since it sounds to me like the UI is responding to PSM signals that the site is, and then isn't, securely identified.

This bug MAY be INVALID, if PSM is doing this deliberately because britishairways is redirecting through an http link.  I'm not actually clear on the policy stance that PSM takes here, but I know Opera treats an https->http->https redirect as insecure, since that http link could have been tampered with.  Still, in this case it seems a little odd - if the top-level document at the end of the whole chain was served in an EV way, it feels like we can confidently assert its EV status.  On the other hand, it might not be the EV page they *wanted* to go to, since an attacker could reroute the http step to a site under their control with an EV cert.

All of this is conjecture though, moving to the component where the answers are.  :)

Comment 3

[Kai Engert (:KaiE:)]

I don't get an automatic redirect.

I start and go to https://www.britishairways.com/
shows green

Then I manually go to https://www.britishairways.com/travel/home/public/en_us

This brings me to a site with "mixed content", refer to the red icon in the lower right corner.

You don't get green, because of the mixed content.
I can see a script being loaded from plain http.

I think this bug is invalid.
Please reopen if you see something else.

Comment 4

[skierpage]

Kai,
I probably get redirected because I have BA_COUNTRY_CHOICE_COOKIE set (to "US").

Thanks for explaining why the U.S. landing page isn't green.

Since quite a few FF3 users will get redirected, the release notes (currently http://en.www.mozilla.com/en/firefox/3.0b3/releasenotes/) should use a different URL than https://www.britishairways.com/ as the "Try it here!" example for "the site favicon button will turn green and show the name of the company you're connected to".  I filed bug 419151 for that bug, I agree this one is RESOLVED INVALID.

Comment 5

[Kai Engert (:KaiE:)]

Mike, this bug proposes the Firefox release notes shall not point to britishairways as an EV example site.