Closed Bug 82736 Opened 24 years ago Closed 24 years ago

Secure site sometimes doesn't appear locked

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 85211
Milestone:
psm2.0

People

(Reporter: curt, Assigned: ddrinan0264)

References

Details

(Whiteboard: Need a=)

Attachments

(1 file)

Patch to fix problem. The fix is for nsHttpConnection to save security info on transaction complete. Need review.
1.66 KB, patch
Details | Diff | Splinter Review
The first time you visit some secure sites no warning dialog is presented and the lock icon doesn't appear locked. Shift reload does make the correct behavior happen, however. We confirmed this on Windows and Linux but it seemed to work okay on Mac. Maybe random?
dup of bug 80468?
This doesn't seem to be the same thing. The behavior I'm seeing is somewhat random and appears to be occurring even after Tracy verified that bug 80468 is fixed.
Summary: Secure site doesn't appear locked → Secure site sometimes doesn't appear locked
->Crypto
Assignee: mstoltz → ddrinan
Component: Security: General → Security: Crypto
QA Contact: ckritzer → junruh
This sounds fairly serious. junruh - are you seeing this on any of your testing? curt - if you revisit those same sites where you had problems, did the problem persist? Wondering if it's random on subsequent runs of the same URL. I think we should investigate this for 0.9.1.
Severity: normal → major
We found in the 6.0 release that this matters. If we don't show the lock item then people won't use their shopping sites. The lock item has to be as close to 100% correct as we can make it. Marking m.9.1 (on behalf of the PDT but without prior consultation :-)
Target Milestone: --- → mozilla0.9.1
Is there a test case for this bug? There are numerous lock icon bugs, including bugs 64367 76168 and 76364. There's also a problem with frames and with the image cache. This bug could be a duplicate of any of them.
thanks, John. Curt - can you attach the URL of the site you were looking at
Perhaps this is random? I loaded https://digitalid.verisign.com and got the lock icon displayed. win32 build 2001052504
*** Bug 82437 has been marked as a duplicate of this bug. ***
A reproducible testcase is to go down the list on http://junruh.mcom.com/ciphers.html . Before long, as you visit these secure sites, you will see that the lock is unlocked.
Using Linux Build ID 2001052908 and junruh's http://junruh.mcom.com/ciphers.html Clicking on any of the links in the "SSL2" and "SSL3" lists, and choosing "Accept this certificate temporarily for this session only" when prompted results in icon not being locked. SSL3 Step Up Cert -> locked. TLSv1 capable server -> locked. TLSv1 intolerant server -> (using "Enable TLS" in prefs) Does not load. TLSv1 intolerant server -> (disabling TLS in prefs) loads, locked. TLSv1 only server -> TLSv1 only server -> (disabling TLS in prefs) does not load. No error dialog. -> (using "Enable TLS" in prefs), accepting cert temporarily. not locked.
https://login.yahoo.com/ - both the lock and Page Info act as if it was a non-secure URL. Build Id 2001052819 on RedHat Linux 7.1
Add thayes to cc-list. The problem is that the nsHttpConnection object is freeing the transport (and security) info when the transaction has completed *and* the server has not requested keepalive. PSM then asks for the security info on the doc loaded and gets back nothing cause necko has thrown away that information. As a result, PSM the determines that the doc in not secure. We must figure out a calling sequence between necko and PSM to in order to fix this problem. The sequence of calls is as follows: 1. nsHttpConnection::CreateTransport() This create the secure transport and sets mSocketTransport. 2. nsHttpConnection::OnTransactionComplete() Here is a snippet of code from this method. if (!mKeepAlive || NS_FAILED(status)) { // if we're not going to be keeping this connection alive... mSocketTransport->SetReuseConnection(PR_FALSE); mSocketTransport = 0; } If the server does not request keepalive, then mSocketTransport is set to 0. 3. nsHttpConnection::GetSecurityInfo() Since mSocketTransport is 0, then no security info can be returned and the document is regarded as non-secure.
adding some necko guys to the cc list. is there any help you need from them?
See the (somewhat opposite) example of the security info not being communicated properly in bug #83193 - ``"Back" button does not clear the "Page Info" security status''
PSM
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.0
ddrinan: do you have an updated status on this? Thanks.
Whiteboard: Need r=
*** Bug 83435 has been marked as a duplicate of this bug. ***
looks good to me. sr=darin
Whiteboard: Need r= → Need a=
Just found out that my patch still does not work in all cases. I'll keep trying.
This bug requires some more analysis and work. After discussing this with Phil Peterson, Bob Lord and Javi, we decided to move this bug to 0.9.2. If we come up with the an acceptable solution early next week, we'll try to get it in for 0.9.1. -> mozilla0.9.2.
Target Milestone: mozilla0.9.1 → mozilla0.9.2
In thinking of 0.9.1 release notes (for our users), is there some way for them to check if the site is secure besides the lock icon? I'd like to ensure the user that if they come to a secure site/transaction, the secure icon may show unlocked, but the user can go to a dlg or some place to check for true state. Thanks.
*** Bug 84487 has been marked as a duplicate of this bug. ***
ddrinan: should we dup this lock icon bug to one of the PDT+ lock icons? Are the good part of the patch included here part of the patch for the PDT+ bugs? In any case: Must be fixed for PSM2.0 / 0.9.2 Target -> 2.0 P1
Priority: -- → P1
Target Milestone: mozilla0.9.2 → 2.0
This was fixed in necko instead. Marking dup of 85211. *** This bug has been marked as a duplicate of 85211 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Verified dupe.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: