Open Bug 892797 Opened 11 years ago Updated 2 years ago

UI for HTTPS page containing content for which the user has overridden an otherwise-invalid cert

Categories

(Firefox :: Security, defect)

x86
macOS
defect

Tracking

()

People

(Reporter: tanvi, Unassigned)

Details

An HTTPS site includes an HTTPS resource.  The HTTPS resource requires a cert exception.  Assume the user has stored cert exception for the HTTPS embedded resource.  What should the UI look like?


-------- Original Message --------
Subject: [External:MB-SecIssues] Insecure inlines on secure pages
Date: Mon, 24 Jun 2013 17:34:22 +0200
From: Sigbjørn Vik <sigbjorn@opera.com>
Reply-To: mb-secissues@list.opera.com
Organization: Opera Software
To: mb-secissues@list.opera.com <mb-secissues@list.opera.com>

Hi all,

While testing how Opera 15 (based on Blink) deals with insecure
inlines on
secure pages, I came across an issue where Firefox, Chrome and IE all
fail. If an inline is insecure due to an invalid certificate, this
type of
invalidity does not downgrade the overall security rating for the page,
unlike what a regular http inline would. This seems like a bug.

One could argue that the user has manually accepted the certificate
(possibly long time in the past), and thus that the user has accepted the
risk. However, it makes no sense that the resulting page should be more
secure than the parts, and all the browsers above warn (to varying
degrees) when viewing the image on its own.

The issue is demonstrated on
https://people.opera.com/sigbjorn/temp/InsecureInlines.html. Note that
this is a temporary file, and might disappear at any point.
Gerv asked me what I thought about this bug, and below is my reply:

Hi Gerv,

In previous projects I've worked on, I've generally ignored the case
where a user explicitly allows an untrusted cert.  If they went through
the UI to "disable protection" then I don't worry about that edge case,
and instead focus on the common case.  Once a feature is complete, then
perhaps it is something we could/should consider.

In this case, when the user goes to
https://skandiabanken.no/cdn-1cdfd3794ab7c2f/Templates/Styles/Black/skb_toplogo.png
and adds the security exception, they still see the lock in the location
bar.  If they click the lock they will see "You have added a security
exception for this site.  Your connection to this website is encrypted
to prevent eavesdropping."  For consistency, this implies that you
should still see the lock on
https://people.opera.com/sigbjorn/temp/InsecureInlines.html, but that
perhaps the Larry message should be changed to something like:
"You have added a security exception for some resources on this page
[lco can make this simpler for us].  Your connection to this website is
encrypted to prevent eavesdropping."

I'm not sure if the code to do this belongs with the Cert Validation or
Mixed Content Blocker.  Mixed Content Blocker checks the scheme of a
resource load, and if it is secure, returns.  We could add an additional
cert check in nsMixedContentBlocker and set a security flag if we get a
cert error for a subresource load.  But we should talk to Brian and
Camilo about whether this makes sense and whether it is worth the effort
(given the user added an exception for that cert).
Giving this another thought, the code really doesn't belong in nsMixedContentBlocker.cpp, since that code deals with HTTP content, not HTTPS content with invalid certs.
(Trying to clarify summary, since it's not about any cert error)
Summary: UI for HTTPS page that contains HTTPS embedded content that has a cert error → UI for HTTPS page containing content for which the user has overridden an otherwise-invalid cert
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.