Closed
Bug 63095
Opened 24 years ago
Closed 24 years ago
Submitting form with https action from http page brings up a "the information you submit is insecure" dialog
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
WONTFIX
People
(Reporter: bzbarsky, Assigned: ddrinan0264)
References
()
Details
Attachments
(2 files)
|
664 bytes,
patch
|
Details | Diff | Splinter Review | |
|
720 bytes,
patch
|
Details | Diff | Splinter Review |
BUILD: linux 2000-12-05-08
STEPS TO REPRODUCE:
1) Make sure you have the warning for insecure form submissions turned on.
2) Go to any http:// site that has a form with an https:// action. The Amazon
login page at
http://www.amazon.com/exec/obidos/flex-sign-in/105-1341200-5430310?opt=a&page=help/ya-sign-in-secure.html&response=order-list&method=POST&return-url=order-list
is a good example.
3) Submit the form.
ACTUAL RESULTS:
The "any information you submit is insecure" dialog pops up.
EXPECTED RESULTS:
Form results sent to https:// url with no warning dialogs.
COMMENTS:
It looks like Mozilla uses the secureness of the page instead of that of the
ACTION attribute to determine whether to pop up the dialog.
|
Reporter | |
Comment 1•24 years ago
|
||
Note: I also see this in a 2000-12-15 linux CVS build
|
||
Comment 2•24 years ago
|
||
|
|
Reporter | |
Comment 3•24 years ago
|
||
adding keywords, changing bug status to new
|
|
Reporter | |
Comment 4•24 years ago
|
||
over to security
Assignee: neeti → mstoltz
Component: Networking → Security: General
QA Contact: tever → ckritzer
|
||
Comment 5•24 years ago
|
||
Looks like incorrect behavior. Over to crypto.
Assignee: mstoltz → ddrinan
Component: Security: General → Security: Crypto
QA Contact: ckritzer → junruh
|
||
Comment 6•24 years ago
|
||
*** This bug has been marked as a duplicate of 59499 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 7•24 years ago
|
||
This is different from bug 59499 in that that one talks about going to an
insecure page while this one talks about submitting an insecure form...
In this case, there is an incorrect dialog saying the submission is insecure
followed by a correct dialog that says you are entering a secure site. The two
dialogs are created at different places in the code...
Also, this bug has a patch that fixes it and only needs review. This patch
affects bug 59499 not at all.
I'm reopening this; junruh, could you please explain why it's a duplicate of bug
59499 if you decide to resolve it as duplicate again? Thanks.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Comment 8•24 years ago
|
||
Bug 59499 involves any use of JavaScript to submit a secure form. The page can
be secure and the form secure, but if the form is submit using JavaScript you
will get the warning that you are leaving a secure site.
|
|
Reporter | |
Comment 9•24 years ago
|
||
|
||
Comment 10•24 years ago
|
||
r=javi on latest patch.
|
||
Comment 11•24 years ago
|
||
I believe the current behavior is correct. If the form was obtained insecurely,
then an attacker could modify it to control what the user later submits over
http. Consider an order form, where the attacker passes through the user's
credit card and billing address, but causes a fixed attacker-specified string to
be submitted as the shipping address.
|
|
||
Comment 12•24 years ago
|
||
More simply, an attacker could change the protocol and domain part of the URL to
which the form is submitted to point to an https server the attacker controls.
|
|
Reporter | |
Comment 13•24 years ago
|
||
Good point, John. Marking wontfix based on that.
Status: REOPENED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 15•23 years ago
|
||
Mass changing Security:Crypto to PSM
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.1
|
|
||
Comment 16•23 years ago
|
||
Mass changing Security:Crypto to PSM
|
||
Comment 17•23 years ago
|
||
See also bug 96556, the warning message for http->https form submission says
the data is being submitted in "clear text".
|
|
Reporter | |
Comment 18•23 years ago
|
||
*** Bug 115048 has been marked as a duplicate of this bug. ***
|
||
Comment 19•23 years ago
|
||
Anyway the behaviour of Mozilla is confusing. A different dialog should
be shown, saying that there is an access to a secure web page from an
insecure one, which is insecure.
I think that the bug should be reopened.
|
|
||
Comment 20•23 years ago
|
||
A dialog box saying,
"Verify that the target URL, https://..... is correct"
would be perfect. If the target URL is correct, there is no security problem
with the source page.
|
|
Reporter | |
Comment 21•23 years ago
|
||
That would be insufficient. See comment 11.
|
|
||
Comment 22•23 years ago
|
||
Thanks, in addition the dialog box could post the values posted.
Warning: posting to a secure web site from a secure page.
Check the page https:/..... and the values :
var1= ...
var2= ...
are correct.
|
|
Reporter | |
Comment 23•23 years ago
|
||
Um... on the average this would make the dialog not fit on a 600x800 screen.
Forms post a _lot_ of hidden values, typically.
At that point users would simply turn off this warning to avoid getting
screen-sized dialogs when they submit forms.
|
|
||
Comment 24•23 years ago
|
||
Anyway, it is important that the warning is not the same as the one shown
when the target URL is not https. The user should know that Mozilla is not
buggy. :-).
|
|
||
Comment 25•23 years ago
|
||
Replay to comment #23:
The dialog box can be well designed. For example, it can contain a button
"show form parameters>>" that when you press it it expands the dialog to
showing the list of parameters in a scrolled list.
|
|
||
Comment 26•23 years ago
|
||
A dialog with a complicated "show form parameters" button does not strike me as
being well designed.
The ultimate goal of the dialog box is to get the server maintainers to fix
their security.
|
|
||
Comment 27•23 years ago
|
||
In replay to comment #26
I think that it is the best thing that you can do for the user.
In addition, you can tell the user that the web page should be
better designed. But it might be difficult of long to get the page
changed. In the meantime, you should help the user.
With the present behaviour, the user sees that the web page works
fine in Internet Explorer and think that it is either a bug in
Mozilla or a web page that requires Internet Explorer. (This is
what my Ph D supervisor thought after he installed Netscape 6.2
at home).
|
|
||
Comment 28•23 years ago
|
||
The wording of the dialog box should not imply that the site is even partially
secure. Nor is it reasonable to expect the user to make such a complicated
security decision.
It might be reasonable to expand the description of the security threat, but
that increases the risk that the user won't read the dialog box at all.
|
|
||
Comment 29•23 years ago
|
||
Although you are technically right, such attack requires domain hihacking,
which is very difficult.
The most frequent case is the portal of a service, where after typing a user
and a password the user enters the https secure zone. In cases like this, the
user can fix the problem himself by adding a "s" after http
in the address text box and then type enter to load the page again.
Probably Mozilla should advise the user to do this.
|
||
Comment 30•23 years ago
|
||
*** Bug 96556 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 31•23 years ago
|
||
*** Bug 143418 has been marked as a duplicate of this bug. ***
|
|
Reporter | |
Comment 32•23 years ago
|
||
*** Bug 145555 has been marked as a duplicate of this bug. ***
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•