favicon (Instant Web Site ID) randomly displays wrong information (is not updated) regarding SSL certificate while switching from http to https within the same domain

UNCONFIRMED
Unassigned

Status

()

Firefox
Security
--
critical
UNCONFIRMED
9 years ago
2 years ago

People

(Reporter: ribbon, Unassigned)

Tracking

3.5 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

On some websites if you click a link that will redirect to an ssl version of the site the favicon in the address bar (identity overview) will not be updated and still displaying "This web site does not supply identify information. Your connection to this web site is not encrypted." with the padlock icon displaying "warning: contains unauthenticated content" even though connection is encrypted and the certificate is valid. Looks like the favicon information is not getting updated.

This is random but probability of this to occur is very high.

Can be simulated by accessing for example http://www.google.com/ig?hl=en then adding "s" in the url https://www.google.com/ig?hl=en

I have simulated this also by switching between http and https on http://www.microsoft.com/en/us/default.aspx?pf=true

Refreshing while in ssl usually helps.

This affects many pages including bank pages like http://www.citibank.com/us/home.htm (where you just need to click to sign on) thus i believe it is critical.



Reproducible: Sometimes

Steps to Reproduce:
1. go to http://www.google.com/ig?hl=en
2. switch to ssl by changing the protocol to https like http://www.google.com/ig?hl=en
3. sometimes the favicon is not updated and the padlock is showing certificate issue
Actual Results:  
The favicon in the address bar (identity overview) will not be updated and still displaying "This web site does not supply identify information. Your connection to this web site is not encrypted." with the padlock icon displaying "warning: contains unauthenticated content"

Expected Results:  
The favicon should display "your connection to this web site is encrypted to prevent eavesdropping"

This is valid for version 3.5.x, previously there was no such case.
Will not appear while going to an ssl within the same domain but different sub domain.
Do you have a URL that exhibits this problem?  The one supplied in the URL field does indeed indicate an insecure connection (despite https) but that is because it is mixing SSL and non-SSL content, and the result cannot be trusted as having any integrity, since the http portions may have been intercepted or altered. If this is the behaviour you're describing, then this bug is a duplicate of bug 435035

Comment 2

9 years ago
If the area around the favicon does not turn blue that means that there are some non-ssl items included on the page. For example on iGoogle's page there are several images including http://img0.gmodules.com/ig/images/v2/ico_sprite_classic.gif that are not served from https. Similar is true of microsoft.com http://i3.microsoft.com/en/shared/templates/components/cspMscomHeader/m_head_blend.png. I have no such issue when clicking on the green citibank sign-in link on the upper right.

Using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a2pre)
Gecko/20090814 Namoroka/3.6a2pre
Version: unspecified → 3.5 Branch
(Reporter)

Comment 3

9 years ago
Now i went to http://www.citibank.com/us/home.htm then clicked "sign on" then clicked back button in the browser then again sign on and there you go the blue surrounding is gone and I'm getting "This web site does not supply identify information", click refresh and it is fine. Try to click back and sign on couple of times switching from http to https. I have looked at the http requests and after https://online.citibank.com/US/JPS/portal/Index.do (the sign on page) there was only ssl content and no http objects.
(Reporter)

Comment 4

9 years ago
Since in many cases after coming form a non-SSL (HTTP) page to an encrypted page (HTTPS) within the same domain the favicon is not updated (stuck in a previous state somehow) a proven workaround is to introduce an intermediate HTTPS page with a redirection to whatever was the target URL as this issue will never occur if you are switching from one HTTPS to another HTTPS page. The redirection will not be noticeable by a visitor (it can be JavaScript redirection inside a blank page). But that is just some workaround and doesn't change the fact that the issue remains.

Comment 5

8 years ago
I have the same problem on my ecommerce website which has payment pages. When problem occurs I refresh page then everything is okey. My certificate is SSL123. I talked with technical support from Thawte. they said that "your website does not supply any identity information = Firefox's way of saying the site has a basic SSL123 certificate. To get rid of that message you need to buy a full Extended Validation certificate. That is not our wording but Mozilla's wording for Firefox."
(In reply to comment #5)
> I have the same problem on my ecommerce website which has payment pages. When
> problem occurs I refresh page then everything is okey. My certificate is
> SSL123. I talked with technical support from Thawte. they said that "your
> website does not supply any identity information = Firefox's way of saying the
> site has a basic SSL123 certificate. To get rid of that message you need to buy
> a full Extended Validation certificate. That is not our wording but Mozilla's
> wording for Firefox."

"This website does not supply any identity information" is the text that is only used for http (unsecured) connections, or connections with broken ssl (e.g. mixing https and http content). When a site supplies basic, DV SSL, the identity box says (using bugzilla as an example):

You are connected to: mozilla.org which is run by (unknown). Verified by Equifax. 
Your connection to this web site is encrypted to prevent eavesdropping.

You do not need to buy an EV certificate to get that display.

Comment 7

8 years ago
> 
> You are connected to: mozilla.org which is run by (unknown). Verified by
> Equifax. 
> Your connection to this web site is encrypted to prevent eavesdropping.
> 
> You do not need to buy an EV certificate to get that display.

When I refresh the page, it writes "your connection to this web site is encrypted to prevent eavesdropping." if my connecton is unsecure(http) or with broken ssl when I refresh the page it should not write that. 

are you sure about certificate ?

you can try that
https://secure.genpatech.com/_hizli_al
You need to log in before you can comment on or make changes to this bug.