Closed Bug 559966 Opened 16 years ago Closed 16 years ago

EV Cert vanishes if non-SSL resource accessed from page

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mlavergn, Unassigned)

Details

Attachments

(1 file)

Relevant screenshots in a PDF format.
323.75 KB, application/pdf
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 This only affects the more expensive EV certificates. This problem surfaced at some point in 3.5. The problem does not exist in 3.0. Accessing a non-HTTPS image from with the HTTPS page causes the EV cert to become invalid regardless of whether the user accepts the "unencrypted information" popup. Reproducible: Always Steps to Reproduce: 1. Obtain an EV cert from Verisign https://www.verisign.com/ssl/ssl-information-center/ev-ssl-certificate/index.html 2. Create a basic page with an image tag served via EV HTTPS <html><img src="ssl_image.png"/></html> 3.With the page loaded and the green EV cert moniker in the URL bar, open the JavaScript console and execute the following: document.getElementsByTagName('img')[0].src = "http://www.example.com/nonssl_image.png"; 4. Not that the EV cert disappears from the URL bar Expected Results: The EV cert should persist beyond the popup warning about requesting unencrypted information. When clicking on the un-greened cert in the URL bar, the "More information" button shows the web site identity owner as "This web site does not supply ownership information.".
This is by design. Pages which request insecure content are themselves rendered insecure - images can be replaced in transit, much worse if the resources are CSS or Javascript, which can drastically impact the appearance of the page. The EV indicator is our assurance to users that the page they are seeing is the page the site intended, and when there are insecure resource loads, that is no longer an assurance we can make. Resolving this as INVALID, not because I don't understand your confusion, but because this doesn't represent a bug in Firefox, this represents behaviour as intended.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: