Closed Bug 420266 Opened 17 years ago Closed 17 years ago

"page info" claims that "about:" URLs transmit unencrypted info over network

Categories

(Firefox :: Page Info Window, defect)

Product:
Firefox
Component:
Page Info Window
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kilobyte, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3 Both the short-hand security info (at the left edge of the address box) and "Page info" consider "about:" URLs to be located on remote sites. The user is warned about lack of verification of the site's identity, and is told that "unencrypted data is transmitted over network". Reproducible: Always Steps to Reproduce: 1. go to about:blank or similar 2. click security info just next to the address box 3. be told that you're connecting to an unverified site Same works with Tools|Page Info Actual Results: "Connection Not Encrypted" "The page you are viewing is not encrypted." "Information sent over the Internet without encryption can be seen by other people while it is in transit." Expected Results: "Local Page" "The page you are viewing is stored locally, and was not transmitted over the network."
Version: unspecified → Trunk
Page Info says the same thing about <http://127.0.0.1/>, and that's actually correct. You can't guarantee that a local page will never touch the network, it might load an image form a remote site for instance. And there's actually an about: page that really loads external data : about:credits loads it from <http://www.mozilla.org/credits/>
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
The FBI makes a good point :) Nevertheless, I think bug 420095 is valid, and very similar to your concern here. I've cc'd you on that one.
about:blank, about:config and the like are a whole world away from http://127.0.0.1/. The former doesn't go to the network, the latter does. Even if it's just the "lo" interface, it can be a hoax (multi-user systems), can be a proxy to somewhere else (actually my home box does this... on another port, but still). But #420095 already deals with similar concerns, let's discuss the issue there.
You need to log in before you can comment on or make changes to this bug.