Closed Bug 41863 Opened 25 years ago Closed 25 years ago

Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Version:
1.0 Branch
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: cheng, Assigned: jud)

References

(
URL
)

Details

(Whiteboard: [nsbeta2-])

Attachments

(1 file)

fixes flag_is_request checks
967 bytes, patch
Details | Diff | Splinter Review
For two sites that I frequently access: https://webbanking.tdaccess.com/ https://webbroker1.tdwaterhouse.ca/ Mozilla always show the padlock icon with a red line through it. When I clicked on the icon, PSM says that the site does not support authentication or encryption. I don't know of other sites with the same problem. I can access these sites fine with Netscape 4.73 just fine, and Netscape 4.73 says that the site's certificates and encryption are just fine.
setting bug status to New
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assigning to dougt. There does not appear to be any insecure content on https://webbanking.tdaccess.com/.
Assignee: lord → dougt
QA Contact: lord → junruh
Summary: Padlock icon not showing secure for secure sites → Padlock icon showing mixed for secure sites
Reassigning all https/cartman/security bugs to valeski. He will be finding new owner(s). This shift is so that I can focus on embedding issues. If the new owner has questions that can not be resovled, I may be able to lend a (quick) hand. over to valeski....
Assignee: dougt → valeski
Keywords: nsbeta2
OS: Linux → All
Hardware: PC → All
Version: 1.1 → 1.2
Putting on [NEED INFO] radar. PDT needs to know impact to user and risk of fix to make a call on this bug. Can we get this tested with the latest builds and get and updated status on this problem.
Whiteboard: [NEED INFO]
This is still happening with today's builds. The impact to the user is that he can get the impression that entering his password to login to his bank account is insecure, even though the site really is secure. Also, if you click on the lock icon, you can read "The web site webbanking.tdaccess.com does not support authentication for the page you are viewing." This is incorrect. It should say "The web site webbanking.tdaccess.com supports authentication for the page you are viewing. The identity of this web site has been verified by OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US, a certificate authority you trust for this purpose. "
Putting on [nsbeta2-] radar. Not critical to beta2. Adding "nsbeta3" keyword for consideration of a fix for that milestone.
Keywords: nsbeta3
Whiteboard: [NEED INFO] → [nsbeta2-]
this is still valid on 2000-070220. What's more - i suspect the output is right about the transaction being insecure - i couldn't see the usual psm processes running with a ps -ef What indicates it's a secure transaction at all? All output indiactes the contrary. I wouldn't dare use this one for my bank transactions currently. This is the info i get from PSM: Web Site Identity Not Verified The web site web.nor.no does not support authentication for the page you are viewing. Without authentication, the origin of information sent over the Internet cannot be verified. Connection Not Encrypted The web site web.nor.no does not support encryption for the page you are viewing. Information sent over the Internet without encryption can be seen by other people while it is in transit.
I just checked on 2000070120, and I can certainly see the psm processes running. What's more is that the page took extremely long to load, just like any other encrypted page. And it seems to me that it is probably encrypted...
An interesting note: when I log out of the banking site, I got to the page at: https://www.tdbank.ca/webbanking/logout/index.html and if you click on the padlock it shows that everything is encrypted.
Blocks: 31344
Could this be an instance of bug 45337 ?
on the order page for http://www.omnisky.com/products , there is no popup message telling the user that the site is secure, plus the padlock icon does not change at all. but if you hit continue w/o entering more info, the error page does show up w/ the right security padlock, still no "this site is secure" popup message though. This is on a cvs Linux build from 0720. https://www.microsoft.com exhibits that red cross behavior.
Summary: Padlock icon showing mixed for secure sites → Padlock icon showing mixed or unlocked for secure sites, no security warning message when entering site
This also occurs on https://scopus.mcom.com/bugsplat I have confirmed this is caused by bug 45337.
Depends on: 45337
Depends on: 46739
another problem is that we are check the flags on flag_is_request not flag_is_network. I am attaching a diff which will fix some of the problems.
Blocks: 18687
No longer depends on: 46739
Blocks: 48444
Worksforme now.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
Verified with the 081804 Win32 and Linux builds.
Product: PSM → Core
Version: psm1.2 → 1.0 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: