Closed
Bug 434734
Opened 17 years ago
Closed 14 years ago
Failure to indicate HTTPS encryption
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: hadmut, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5
Hi,
I am using an (internal) website which has a valid certificate issued by a valid selfmade CA. However, for reasons of privacy, the certificate contain as little information as possible, i.e. the CN is like
C=DE, CN=hostname.domain.de
Should be valid.
But although firefox accepts this certificate and uses HTTPS without complaining, it still shows a white background in the URL field ( https://...)
and if you click onto the symbol on the left side of the URL field, a small windows with the symbol of an immigration officer appears telling
"Your Connection to this web site is not encrypted"
although it is.
Thus, it makes it difficult for the user to tell encrypted web sites from unencrypted ones and easier for the attacker to substitute encrypted web sites with unencrypted ones, because both appear as unencrypted.
Reproducible: Always
Steps to Reproduce:
1. Generate CA and Certificate with just C=DE and CN=hostname
2. install on apache
3. Run firefox
|
||
Comment 1•17 years ago
|
||
Why is this bug report hidden? Can it cause Firefox to load a MITM'd https: site without complaining, or does this *only* happen with valid certs?
|
||
Comment 2•17 years ago
|
||
Is it possible some of the content on the page is not encrypted, causing "mixed" mode? Look at the lock icon in the status bar and see if it's 'broken'. If you click on the 'more information' button on the 'Larry' dialog the "Technical Details" section should say "Connection Partially Encrypted.
If we thought the cert itself was invalid we would simply block access to the site.
Hard for us to diagnose further unless you let us access your site to see what's going on, but that's my best guess.
|
||
Comment 3•17 years ago
|
||
I hear that FF3 has done away with many of the classic SSL indicators.
No more yellow, nor more lock icon. Is that the explanation of this bug?
I've seen FF3 screen shots of https sites with ordinary DV certs from built-
in CAs that I could not tell were using SSL. My mother certainly could not
tell that SSL was in use if she was faced with those screen shots.
I discommend the use of any products whose SSL indicators are ambiguous.
I see no reason for this to be "security sensitive".
|
||
Comment 4•17 years ago
|
||
(In reply to comment #3)
> I hear that FF3 has done away with many of the classic SSL indicators.
> No more yellow, nor more lock icon. Is that the explanation of this bug?
The lock still appears in the status bar, and the "identity button" area changes colors when SSL is in use.
|
|
||
Comment 5•17 years ago
|
||
Gavin, is that true in the release candidate?
I have read recent postings (posted in the last 24 hours) in the newsgroups
that say that the lock is gone, and that there is a "favicon" that can be
spoofed by a web site.
|
|
||
Comment 6•17 years ago
|
||
Nelson, see bug 430790 and bug 431495. Let's keep this bug focused on why Hadmut's site says "Your Connection to this web site is not encrypted" despite the protocol being an https.
Fwiw, I see the same on https://www.squarefree.com/ (which contains mixed content), so dveditz's theory in comment 2 is quite plausible. Is it intentional that the message in the Larry panel is "Your Connection to this web site is not encrypted" rather than something more specific?
|
|
||
Comment 7•17 years ago
|
||
If the behavior for mixed-content sites is to deny any use of https in the UI,
that's going to cause people to say "this site is secure with IE but not with
FF3". You know what effect that will have on users.
|
|
||
Comment 8•17 years ago
|
||
The identity UI does present the same string for mixed content as for unencrypted content. I don't think that's a particular departure from Firefox 2, which didn't turn the address bar yellow for mixed content, but it would be nice to have a different string in there nonetheless - I've filed bug 435035 to track that issue.
The padlock in the status bar should still indicate mixed content, as should the "More Information" dialog (aka Page Info).
Hadmut - does your status bar icon, or page info, confirm that the page is "partially encrypted"? That is, that it mixes https and http content?
Unhiding this, since I am basically positive that this is a UI confusion and not, e.g., a failure in our crypto code.
Group: security
|
||
Comment 9•17 years ago
|
||
(In reply to comment #5)
> is that true in the release candidate?
yes, the lock icon in the status bar is still there
|
|
||
Comment 10•14 years ago
|
||
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE. Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•