Closed
Bug 41863
Opened 24 years ago
Closed 24 years ago
Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: cheng, Assigned: jud)
References
()
Details
(Whiteboard: [nsbeta2-])
Attachments
(1 file)
967 bytes,
patch
|
Details | Diff | Splinter Review |
For two sites that I frequently access: https://webbanking.tdaccess.com/ https://webbroker1.tdwaterhouse.ca/ Mozilla always show the padlock icon with a red line through it. When I clicked on the icon, PSM says that the site does not support authentication or encryption. I don't know of other sites with the same problem. I can access these sites fine with Netscape 4.73 just fine, and Netscape 4.73 says that the site's certificates and encryption are just fine.
Comment 2•24 years ago
|
||
Assigning to dougt. There does not appear to be any insecure content on https://webbanking.tdaccess.com/.
Assignee: lord → dougt
QA Contact: lord → junruh
Summary: Padlock icon not showing secure for secure sites → Padlock icon showing mixed for secure sites
Comment 3•24 years ago
|
||
Reassigning all https/cartman/security bugs to valeski. He will be finding new owner(s). This shift is so that I can focus on embedding issues. If the new owner has questions that can not be resovled, I may be able to lend a (quick) hand. over to valeski....
Assignee: dougt → valeski
Updated•24 years ago
|
Comment 4•24 years ago
|
||
Putting on [NEED INFO] radar. PDT needs to know impact to user and risk of fix to make a call on this bug. Can we get this tested with the latest builds and get and updated status on this problem.
Whiteboard: [NEED INFO]
Comment 5•24 years ago
|
||
This is still happening with today's builds. The impact to the user is that he can get the impression that entering his password to login to his bank account is insecure, even though the site really is secure. Also, if you click on the lock icon, you can read "The web site webbanking.tdaccess.com does not support authentication for the page you are viewing." This is incorrect. It should say "The web site webbanking.tdaccess.com supports authentication for the page you are viewing. The identity of this web site has been verified by OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US, a certificate authority you trust for this purpose. "
Comment 6•24 years ago
|
||
Putting on [nsbeta2-] radar. Not critical to beta2. Adding "nsbeta3" keyword for consideration of a fix for that milestone.
Keywords: nsbeta3
Whiteboard: [NEED INFO] → [nsbeta2-]
this is still valid on 2000-070220. What's more - i suspect the output is right about the transaction being insecure - i couldn't see the usual psm processes running with a ps -ef What indicates it's a secure transaction at all? All output indiactes the contrary. I wouldn't dare use this one for my bank transactions currently. This is the info i get from PSM: Web Site Identity Not Verified The web site web.nor.no does not support authentication for the page you are viewing. Without authentication, the origin of information sent over the Internet cannot be verified. Connection Not Encrypted The web site web.nor.no does not support encryption for the page you are viewing. Information sent over the Internet without encryption can be seen by other people while it is in transit.
I just checked on 2000070120, and I can certainly see the psm processes running. What's more is that the page took extremely long to load, just like any other encrypted page. And it seems to me that it is probably encrypted...
An interesting note: when I log out of the banking site, I got to the page at: https://www.tdbank.ca/webbanking/logout/index.html and if you click on the padlock it shows that everything is encrypted.
Comment 10•24 years ago
|
||
Could this be an instance of bug 45337 ?
Comment 11•24 years ago
|
||
on the order page for http://www.omnisky.com/products , there is no popup message telling the user that the site is secure, plus the padlock icon does not change at all. but if you hit continue w/o entering more info, the error page does show up w/ the right security padlock, still no "this site is secure" popup message though. This is on a cvs Linux build from 0720. https://www.microsoft.com exhibits that red cross behavior.
Summary: Padlock icon showing mixed for secure sites → Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site
Comment 12•24 years ago
|
||
This also occurs on https://scopus.mcom.com/bugsplat I have confirmed this is caused by bug 45337.
Depends on: 45337
Comment 13•24 years ago
|
||
another problem is that we are check the flags on flag_is_request not flag_is_network. I am attaching a diff which will fix some of the problems.
Comment 14•24 years ago
|
||
Comment 15•24 years ago
|
||
Worksforme now.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Updated•24 years ago
|
Status: RESOLVED → VERIFIED
Comment 16•24 years ago
|
||
Verified with the 081804 Win32 and Linux builds.
You need to log in
before you can comment on or make changes to this bug.
Description
•