433910 - Secure site redirects to insecure site without a warning message

Status: RESOLVED WORKSFORME

(Core :: Security, defect)

Description

[Greg Colyer]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

 

Reproducible: Always

Steps to Reproduce:
Type https://www.royalmail.com/ into the location bar.
Actual Results:  
Location bar changes to http:..., and a page is displayed, with no security warnings or other indication that the browser has not fulfilled the original intention.

Expected Results:  
Some kind of warning. IE (7.0.6000.16643) produces an "entering secure site" warning followed by a "leaving secure site" warning.

I wouldn't propose the above IE behaviour if successful HTTPS authentication never occurs; that would be misleading. But there should be some POSITIVE indication that the browser did not do what the user intended. The lack of lock icon, etc., is only a negative indication and its usefulness in this case presupposes that the user remembers it should have happened.

Comment 1

[u279076]

Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.

Comment 2

[Greg Colyer]

For information: this was still not addressed at Firefox 48.
Firefox 51 shows a crossed-out lock warning for the above site, and more generally for any HTTP "login page". See
http://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords
I'm not sure how login page is defined, but I don't think it addresses the general case of HTTPS redirecting to HTTP, since the above icon is not shown for HTTP in general.
Reopening.

Comment 3

[Timea Cernea [:tbabos][inactive]]

Hi Greg,
Do you consider this issue to be still relevant in the latest Firefox version? Right now, any insecure site (http) will have the crossed lock icon on the left side of the address bar to indicate the security level along with the insecure dropdown displayed on all fields that can be autofilled by Firefox Form Autofill. Also, the link you provided no longer redirects from https to http, do you have any other site examples that show this behavior?

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Redirect a needinfo that is pending on an inactive user to the triage owner.
:dveditz, since the bug has high severity, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Comment 6

[Daniel Veditz [:dveditz]]

We have other bugs that suggest changing the badging on insecure sites. That's independent of redirects. you can play with the prefs security.insecure_connection_text.enabled and security.insecure_connection_icon.enabled if you want. The latter has been enabled by default since Firefox 70 or so (Timea mentioned it in comment 3)

We have implemented an opt-in "HTTPS Only" mode that prevents these redirects, and are working on shipping "https first" by default that tries to make insecure loads less common without being as dogmatic as "HTTPS Only". Both are independent of redirects.

A secure address the user types could redirect to another secure BUT UNWANTED or MALICIOUS site as easily as it could redirect to a merely insecure one. Unfortunately users need to stay on the ball and check their ultimate destination (typos when entering URLS are common, and "typo squatting" domains exist to take advantage of that).

The "bare minimum" of "a warning message" is now implemented with the slashed-lock icon. I hope we switch to the more noticeable "Not Secure" text in the future