Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site

VERIFIED WORKSFORME

Status

()

Core
Security: PSM
P3
normal
VERIFIED WORKSFORME
18 years ago
10 years ago

People

(Reporter: cheng, Assigned: Judson Valeski)

Tracking

1.0 Branch
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta2-], URL)

Attachments

(1 attachment)

(Reporter)

Description

18 years ago
For two sites that I frequently access:

https://webbanking.tdaccess.com/
https://webbroker1.tdwaterhouse.ca/

Mozilla always show the padlock icon with a red line through it. When I clicked
on the icon, PSM says that the site does not support authentication or
encryption. I don't know of other sites with the same problem. I can access
these sites fine with Netscape 4.73 just fine, and Netscape 4.73 says that the
site's certificates and encryption are just fine.

Comment 1

18 years ago
setting bug status to New
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

18 years ago
Assigning to dougt. There does not appear to be any insecure content on 
https://webbanking.tdaccess.com/.
Assignee: lord → dougt
QA Contact: lord → junruh
Summary: Padlock icon not showing secure for secure sites → Padlock icon showing mixed for secure sites

Comment 3

18 years ago
Reassigning all https/cartman/security bugs to valeski.  He will be finding new 
owner(s).  This shift is so that I can focus on embedding issues.  If the new 
owner has questions that can not be resovled, I may be able to lend a (quick) 
hand.

over to valeski....
Assignee: dougt → valeski

Updated

18 years ago
Keywords: nsbeta2
OS: Linux → All
Hardware: PC → All
Version: 1.1 → 1.2

Comment 4

18 years ago
Putting on [NEED INFO] radar. PDT needs to know impact to user and risk of fix 
to make a call on this bug. Can we get this tested with the latest builds and 
get and updated status on this problem.
Whiteboard: [NEED INFO]

Comment 5

18 years ago
This is still happening with today's builds. The impact to the user is that he 
can get the impression that entering his password to login to his bank account 
is insecure, even though the site really is secure. 

Also, if you click on the lock icon, you can read "The web site 
webbanking.tdaccess.com does not support authentication for the page you are 
viewing." This is incorrect. It should say "The web site webbanking.tdaccess.com 
supports authentication  for the
 page you are viewing. The identity of this web site has been verified by
 OU=Secure Server Certification Authority, O="RSA Data Security, Inc.",
 C=US, a certificate authority you trust for this purpose. "

Comment 6

18 years ago
Putting on [nsbeta2-] radar. Not critical to beta2.  Adding "nsbeta3" keyword 
for consideration of a fix for that milestone. 
Keywords: nsbeta3
Whiteboard: [NEED INFO] → [nsbeta2-]

Comment 7

18 years ago
this is still valid on 2000-070220. What's more - i suspect the output is right
about the transaction being insecure - i couldn't see the usual psm processes
running with a ps -ef
What indicates it's a secure transaction at all? All output indiactes the
contrary. I wouldn't dare use this one for my bank transactions currently.

This is the info i get from PSM:

Web Site Identity Not Verified
The web site web.nor.no does not support authentication for the page you are
viewing. Without authentication, the origin of information sent over the
Internet cannot be verified. Connection

Not Encrypted
The web site web.nor.no does not support encryption for the page you are
viewing. Information sent over the Internet without encryption can be seen by
other people while it is in transit.
(Reporter)

Comment 8

18 years ago
I just checked on 2000070120, and I can certainly see the psm processes
running.  What's more is that the page took extremely long to load, just like
any other encrypted page.  And it seems to me that it is probably encrypted...
(Reporter)

Comment 9

18 years ago
An interesting note:  when I log out of the banking site, I got to the page at:

  https://www.tdbank.ca/webbanking/logout/index.html

and if you click on the padlock it shows that everything is encrypted.

Updated

18 years ago
Blocks: 31344

Comment 10

18 years ago
Could this be an instance of bug 45337 ?

Comment 11

18 years ago
on the order page for http://www.omnisky.com/products , there is no popup
message telling the user that the site is secure, plus the padlock icon does not
change at all. but if you hit continue w/o entering more info, the error page
does show up w/ the right security padlock, still no "this site is secure" popup
message though. This is on a cvs Linux build from 0720.
https://www.microsoft.com exhibits that red cross behavior.
Summary: Padlock icon showing mixed for secure sites → Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site

Comment 12

18 years ago
This also occurs on https://scopus.mcom.com/bugsplat
I have confirmed this is caused by bug 45337.
Depends on: 45337

Updated

18 years ago
Depends on: 46739

Comment 13

18 years ago
another problem is that we are check the flags on flag_is_request not
flag_is_network.  I am attaching a diff which will fix some of the problems.

Comment 14

18 years ago
Created attachment 12175 [details] [diff] [review]
fixes flag_is_request checks

Updated

18 years ago
Blocks: 18687

Updated

18 years ago
No longer depends on: 46739

Updated

18 years ago
Blocks: 48444

Comment 15

18 years ago
Worksforme now.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → WORKSFORME

Updated

18 years ago
Status: RESOLVED → VERIFIED

Comment 16

18 years ago
Verified with the 081804 Win32 and Linux builds.

Updated

14 years ago
Component: Security: PSM → Security: PSM
Product: PSM → Core

Updated

10 years ago
Version: psm1.2 → 1.0 Branch
You need to log in before you can comment on or make changes to this bug.