Closed Bug 535814 Opened 16 years ago Closed 9 years ago

Spurious security warning? Secure page contains some insecure info. A third party may easily read information you read/enter. SSL provider says Firefox 3.5 bug.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: reescf, Unassigned)

References

(
URL
)

Details

(Whiteboard: [psm-padlock])

Attachments

(1 file)

source of the page
25.81 KB, text/html
Details
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; cy; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; cy; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 When transferring to the secure site https://secure.actinicsecure.com/cgi-bin/sp000001.pl from http://www.moom-uk.com/cgi-bin/os000009.pl, the following security warning appears: "Rydych wedi gwneud cais am ddogfen ddiogel sy'n cynnwys peth gwybodaeth anniogel. Mae'n hawdd i drydydd parti ddarllen gwybodaeth rydych yn ei ddarllen neu ei rhoi ar y dudalen hon." Roughly translated: "You have made a request for a secure document which includes some insecure information. It is easy for a third party to read information which you read or enter on this page." Thank you. I have been told by the company who provide SSL services to Moom that this warning reflects a bug in Firefox 3.5 and that the page is perfectly secure. Since it is requesting credit card details, this is obviously crucial. Reloading the page does not trigger the warning again but going back to the referring page (which automatically forwards to the secure site again) does. The referring page is http://www.moom-uk.com/cgi-bin/os000009.pl. I apologise if this is a duplicate bug. I *did* search and there are a couple of bugs which might be related but my knowledge of html (not to mention javascript) just isn't good enough to tell. Reproducible: Always Steps to Reproduce: 1. Visit http://www.moom-uk.com/cgi-bin/os000009.pl (with FF set to allow forwarding) 2. Observe warning Note: it may be necessary to do the following first: 0. Visit http://www.moom-uk.com/, choose something to "buy" and initiate checkout. (In this case, you may need to provide contact details etc. These need not be genuine. The warning appears as the page where you enter credit card details loads so there is no need to enter these in order to observe the warning message.) Actual Results: Warning message as quoted/translated above appears. Expected Results: If the warning is the result of a bug in FF 3.5 as the SSL providers claim, it shouldn't appear.
(In reply to comment #0) > Note: it may be necessary to do the following first: > 0. Visit http://www.moom-uk.com/, choose something to "buy" and initiate > checkout Confirmed, after initiating a bogus checkout at moom-uk, as directed. (I don't actually get the warning popup, because I've told Firefox not to warn me about this issue -- but I can bring up a similar warning by clicking the page's Favicon, which says "Your connection to this site is only partially encrypted, and does not prevent eavesdropping".) As far as I know, this warning usually means that e.g. an HTTPS page uses HTTP-urls for images, stylesheets, or scripts. (which could potentially comprimise the security of the page.) In this case, I'm not sure what the problem is, though. Looking at the page's source, I don't see any HTTP URLs.
OS: Mac OS X → All
Hardware: PowerPC → All
Version: unspecified → Trunk
Attached file source of the page
Here's the source of the page that triggers this.
Sid -- do you know why we're hitting this? (I tend to doubt that this is a Firefox bug, but I don't immediately see what's causing it. So, I defer to someone with more knowledge of HTTPS :))
There was a bug with data: URIs causing the error, see bug 477118, but that was fixed in Firefox 3.5.4.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Yeah, this source doesn't have data URLs afaict, and a reload (with repost) fixes it. Maybe redirect messiness? Over to kai/rrelyea in PSM.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
I also saw the error, but only the first time I hit the URL. Firebug's net panel says that the secure page causes a request for http://www.moom-uk.com/acatalog/sitemap2.gif, and such an unencrypted load would trigger mixed-content UI -- including that error. That is also why Larry doesn't show blue security info in the URL bar. Now, having said that, I can't figure out how that image load is being triggered. I'm still looking into it, but it seems odd since there's not much script on the page, no CSS to speak of and no image tags either.
Turns out that the insecure site redirecting to that secure site does some image pre-loading, including that sitemap2.gif URL. The redirect to the secure site is done via form.submit() which begins just before the images start preloading. Maybe there is some weirdness that thinks the images preloaded in the JS environment belong to the new HTTPS page?
There was a bug a while ago where loads that happened as we left the previous page affected the current page's security context incorrectly - and the page that redirects to this one does load sitemap2.gif, as sid mentions. I bet boris remembers where that bug is.
You're probably thinking of bug 492358. The submit() happening before the preloads should be ok: we should be canceling the preloads once we get the response back from the server. Is that not happening? Can someone do a log similar to that done in bug 492358?
I guess it's possible that the image loads are canceled but still counted against the new page somehow. Someone who understands the security UI logic should look into that. That said, the site in general is not in fact secure: anyone could mitm the http part and redirect to an https server of their choice. Since the https server is not in fact something the user expects (in particular its hostname is not related to the shopping site in any way), they have no way to tell that they're giving them the credit card info to the wrong people...
Assignee: kaie → nobody
Whiteboard: [psm-padlock]
Using: Windows 7, FireFox 3.6.6 This is also happening to our site http://subscribe.elle.com If you click on the subscribe button and move your mouse away from the button the checkout page indicates that it is insecure but after checking everything in the page all of them are secure. BUT! If you click on the subscribe button and not move you mouse pointer the checkout page comes out secure. Hope this helps!
Confirmed the behavior described in comment comment 11, on my trunk nightly (2 days old): Mozilla/5.0 (X11; Linux i686; rv:2.0b5pre) Gecko/20100823 Minefield/4.0b5pre
I can't reproduce this on either of the test URLs. If anyone has a currently-available testcase, please reopen this bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: