Closed Bug 41863 Opened 24 years ago Closed 24 years ago

Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Version:
1.0 Branch
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: cheng, Assigned: jud)

References

(
URL
)

Details

(Whiteboard: [nsbeta2-])

Attachments

(1 file)

fixes flag_is_request checks
967 bytes, patch
Details | Diff | Splinter Review 
For two sites that I frequently access:

https://webbanking.tdaccess.com/
https://webbroker1.tdwaterhouse.ca/

Mozilla always show the padlock icon with a red line through it. When I clicked
on the icon, PSM says that the site does not support authentication or
encryption. I don't know of other sites with the same problem. I can access
these sites fine with Netscape 4.73 just fine, and Netscape 4.73 says that the
site's certificates and encryption are just fine.
setting bug status to New
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assigning to dougt. There does not appear to be any insecure content on 
https://webbanking.tdaccess.com/.
Assignee: lord → dougt
QA Contact: lord → junruh
Summary: Padlock icon not showing secure for secure sites → Padlock icon showing mixed for secure sites
Reassigning all https/cartman/security bugs to valeski.  He will be finding new 
owner(s).  This shift is so that I can focus on embedding issues.  If the new 
owner has questions that can not be resovled, I may be able to lend a (quick) 
hand.

over to valeski....
Assignee: dougt → valeski
Keywords: nsbeta2
OS: Linux → All
Hardware: PC → All
Version: 1.1 → 1.2
Putting on [NEED INFO] radar. PDT needs to know impact to user and risk of fix 
to make a call on this bug. Can we get this tested with the latest builds and 
get and updated status on this problem.
Whiteboard: [NEED INFO]
This is still happening with today's builds. The impact to the user is that he 
can get the impression that entering his password to login to his bank account 
is insecure, even though the site really is secure. 

Also, if you click on the lock icon, you can read "The web site 
webbanking.tdaccess.com does not support authentication for the page you are 
viewing." This is incorrect. It should say "The web site webbanking.tdaccess.com 
supports authentication  for the
 page you are viewing. The identity of this web site has been verified by
 OU=Secure Server Certification Authority, O="RSA Data Security, Inc.",
 C=US, a certificate authority you trust for this purpose. "
Putting on [nsbeta2-] radar. Not critical to beta2.  Adding "nsbeta3" keyword 
for consideration of a fix for that milestone.
Keywords: nsbeta3
Whiteboard: [NEED INFO] → [nsbeta2-]
this is still valid on 2000-070220. What's more - i suspect the output is right
about the transaction being insecure - i couldn't see the usual psm processes
running with a ps -ef
What indicates it's a secure transaction at all? All output indiactes the
contrary. I wouldn't dare use this one for my bank transactions currently.

This is the info i get from PSM:

Web Site Identity Not Verified
The web site web.nor.no does not support authentication for the page you are
viewing. Without authentication, the origin of information sent over the
Internet cannot be verified. Connection

Not Encrypted
The web site web.nor.no does not support encryption for the page you are
viewing. Information sent over the Internet without encryption can be seen by
other people while it is in transit.
I just checked on 2000070120, and I can certainly see the psm processes
running.  What's more is that the page took extremely long to load, just like
any other encrypted page.  And it seems to me that it is probably encrypted...
An interesting note:  when I log out of the banking site, I got to the page at:

  https://www.tdbank.ca/webbanking/logout/index.html

and if you click on the padlock it shows that everything is encrypted.
Blocks: 31344
Could this be an instance of bug 45337 ?

on the order page for http://www.omnisky.com/products , there is no popup
message telling the user that the site is secure, plus the padlock icon does not
change at all. but if you hit continue w/o entering more info, the error page
does show up w/ the right security padlock, still no "this site is secure" popup
message though. This is on a cvs Linux build from 0720.
https://www.microsoft.com exhibits that red cross behavior.
Summary: Padlock icon showing mixed for secure sites → Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site
This also occurs on https://scopus.mcom.com/bugsplat
I have confirmed this is caused by bug 45337.
Depends on: 45337
Depends on: 46739
another problem is that we are check the flags on flag_is_request not
flag_is_network.  I am attaching a diff which will fix some of the problems.
Blocks: 18687
No longer depends on: 46739
Blocks: 48444
Worksforme now.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
Verified with the 081804 Win32 and Linux builds.
Product: PSM → Core
Version: psm1.2 → 1.0 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: