654914 - my.msn.com - MyMSN causes security warning and mixed content warning on login

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Gingerbread Man]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

The following warning pops up twice when trying to log in to MyMSN:


[Security Warning]

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

<Continue>   <Cancel>

Reproducible: Always

Steps to Reproduce:
1. Go to http://my.msn.com
2. You get redirected to https://login.live.com/login.srf[...]
3. Enter your login info and press the "Sign in" button.
4. Security warning pops up. Click Continue.
5. The warning pops back up. Click Continue again. You've finally landed at the homepage.



This supposedly works without a hitch in Chrome, and some users have gotten it into their heads that it's some kind of anti-Microsoft conspiracy on Mozilla's part to nag users to death:
http://forums.mozillazine.org/viewtopic.php?f=38&t=2115263

Comment 1

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

I believe this is the same issue as this link describes: http://www.educause.edu/blog/jtrout/FirefoxTooSecure/164641 as I don't see the login form's submit action anywhere.

Comment 2

[Christian Kujau]

Is this still an issue? Going to http://my.msn.com/ now - and I don't get redirected anywhere. Entering & submitting login credentials on https://login.live.com/login.srf does not produce the warning either. Also, the usefulness of this message is discussed in e.g. bug 436200.

Comment 3

[Gingerbread Man]

(In reply to Christian Kujau from comment #2)
> Is this still an issue?

Yes, though it's just the one warning now and the steps to reproduce are slightly different.

1. Go to http://my.msn.com
2. Click the "Sign In" link (currently located in the top right corner).
3. You get redirected to https://login.live.com/login.srf[...]
4. Enter your login info and press the "Sign In" button.
5. Security warning pops up. Click Continue.
6. You land back at http://my.msn.com, logged in.

Tested with Firefox 14.0.1.

Comment 4

[Gingerbread Man]

Still an issue. Re-tested in a new profile with Firefox 29. Marking this report NEW and updating the summary. Steps to reproduce supplemented with information from the Web Console:

1. Go to http://my.msn.com
2. Click the "Sign In" link (currently located in the top right corner).
3. You get redirected to https://login.live.com/login.srf[…]. A triangle with an exclamation mark shows on the left side of the address bar. Its tooltip says, "This website does not supply identity information". The Web Console shows two mixed content warnings:
POST http://my.msn.com/customization.aspx [Mixed Content] [HTTP/1.1 200 OK 265ms]
GET http://udc.msn.com/c.gif [Mixed Content] [HTTP/1.1 200 OK 70ms]
4. Enter your login info and press the "Sign In" button.
5. Security warning pops up. Click Continue.
6. You land back at http://my.msn.com, logged in.

Comment 5

[Adam Stevenson [:adamopenweb]]

Moving to desktop component.

Comment 6

[Hallvord R. M. Steen [:hallvors]]

There's still a request for c.gif tripping up Firefox's confidence in the site's security - however, the insecure image is *not* linked from the login page. It's the image that is loaded by the tracking/statistics script running on the previous page, including c.gif with some parameters to track you clicking "sign in".

I think this warning is bogus. We lower the security status of a page which doesn't actually try to load any insecure content.

Comment 7

[Hallvord R. M. Steen [:hallvors]]

Demo:
http://hallvord.com/temp/moz/bug/654914.htm

Comment 8

[Dana Keeler (she/her) [:keeler]]

I can't reproduce this on either the original site(s) listed or the demo in comment 7.