626474 - Redirect after typing https URL is not subjected to the "leaving https" warning

Status: RESOLVED WONTFIX

(Core :: Security, defect)

Description

[Frieder.Ferlemann]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.13) Gecko/20101203 SUSE/3.6.13-0.2.1 Firefox/3.6.13
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.13) Gecko/20101203 SUSE/3.6.13-0.2.1 Firefox/3.6.13

although warning for leaving a secure page is enabled (and are in effect once a https page has been viewed) manually typing https://freemail.web.de/ into the address field shows a http page.

That specific page asks for username and password but as it's http the user cannot be sure that/which parts of the page are protected and thus risks compromizing his account.

(note the specific page transfers the log-in data protected but that's not the point)

Reproducible: Always

Steps to Reproduce:
1. type https://freemail.web.de/ into the address field
2. press return
Actual Results:  
http://web.de/fm

is shown

Expected Results:  
https://web.de/fm

is to be shown. Or a warning.

Manually specifying the protocol in the address field is among the strongest interactions a user can possibly give. The 's' of https cannot be ignored if the user has enabled the corresponding warning.

Note:
> konqueror https://freemail.web.de
Version 4.5.95 (4.6 RC2)
or
> opera https://freemail.web.de
Version 11 Build 1156
also proceed without warning.

Comment 1

[Jesse Ruderman]

Agree that it's lame that https://freemail.web.de/ redirects to http://web.de/fm. Also agree that if the "leaving https" warning is enabled in Firefox, it should apply to this case.

Comment 2

[Jesse Ruderman]

This warning dialog is controlled by the pref security.warn_leaving_secure. Firefox 3.6 had UI for the pref, but Firefox 4 does not (removed in bug 513166).

Comment 3

[Jesse Ruderman]

Confirmed. Bug still exists on trunk.

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0b10pre) Gecko/20110119 Firefox/4.0b10pre

Comment 4

[Frieder.Ferlemann]

it's not Firefox 3.6.13 any more. Instead it is Firefox 14.0.1 but the issue persists.

(try misspelling a password on https://produkte.web.de/freemail-webmail/V3/ . In this specific case this may leed to the user inadvertedly compromising his account without being aware of it.)

Please fix or adjust principle 4 of The Mozilla Manifesto.

Comment 5

[Frieder.Ferlemann]

it's not Firefox 3.6.13 any more. Instead it is Firefox 18.0 but the issue persists.

Comment 6

[Frieder.Ferlemann]

it's not Firefox 3.6.13 any more. Instead it is Firefox 28.0 but the issue persists.

Comment 7

[Frieder.Ferlemann]

it's not Firefox 3.6.13 any more. Instead it is Firefox 35.0 but the issue persists.

Comment 8

[Dana Keeler (she/her) [:keeler]]

The dialog that implemented this functionality was removed in bug 799009. It's unlikely it will be added back in, since it's disruptive and in many cases the user will have no meaningful action to take in response to it. Something like bug 1041087 is probably a better way to inform the user of the (in)security of a page without disrupting them in their task.

Comment 9

[Jesse Ruderman]

WONTFIX (moot) per comment 8

Comment 10

[Frieder.Ferlemann]

it's not Firefox 3.6.13 any more. Instead it is Firefox 45.0 but the issue persists.

Bug 1041087 which was filed a few years after this report also has seen no update for over a year so I might just as well continue here.

I suggest the following approach:

a) read the thread
b) assume user perspective
c) read principle 4 of https://www.mozilla.org/en-US/about/manifesto/
d) yes, if e.g. only one of hundred logins to an email account is tinkered with an account is effectively compromised
e) react on a) to d). Note, closing this report is not an option as this report is already closed