An HTTPS site includes an HTTPS resource. The HTTPS resource requires a cert exception. Assume the user has stored cert exception for the HTTPS embedded resource. What should the UI look like? -------- Original Message -------- Subject: [External:MB-SecIssues] Insecure inlines on secure pages Date: Mon, 24 Jun 2013 17:34:22 +0200 From: Sigbjørn Vik <email@example.com> Reply-To: firstname.lastname@example.org Organization: Opera Software To: email@example.com <firstname.lastname@example.org> Hi all, While testing how Opera 15 (based on Blink) deals with insecure inlines on secure pages, I came across an issue where Firefox, Chrome and IE all fail. If an inline is insecure due to an invalid certificate, this type of invalidity does not downgrade the overall security rating for the page, unlike what a regular http inline would. This seems like a bug. One could argue that the user has manually accepted the certificate (possibly long time in the past), and thus that the user has accepted the risk. However, it makes no sense that the resulting page should be more secure than the parts, and all the browsers above warn (to varying degrees) when viewing the image on its own. The issue is demonstrated on https://people.opera.com/sigbjorn/temp/InsecureInlines.html. Note that this is a temporary file, and might disappear at any point.
Gerv asked me what I thought about this bug, and below is my reply: Hi Gerv, In previous projects I've worked on, I've generally ignored the case where a user explicitly allows an untrusted cert. If they went through the UI to "disable protection" then I don't worry about that edge case, and instead focus on the common case. Once a feature is complete, then perhaps it is something we could/should consider. In this case, when the user goes to https://skandiabanken.no/cdn-1cdfd3794ab7c2f/Templates/Styles/Black/skb_toplogo.png and adds the security exception, they still see the lock in the location bar. If they click the lock they will see "You have added a security exception for this site. Your connection to this website is encrypted to prevent eavesdropping." For consistency, this implies that you should still see the lock on https://people.opera.com/sigbjorn/temp/InsecureInlines.html, but that perhaps the Larry message should be changed to something like: "You have added a security exception for some resources on this page [lco can make this simpler for us]. Your connection to this website is encrypted to prevent eavesdropping." I'm not sure if the code to do this belongs with the Cert Validation or Mixed Content Blocker. Mixed Content Blocker checks the scheme of a resource load, and if it is secure, returns. We could add an additional cert check in nsMixedContentBlocker and set a security flag if we get a cert error for a subresource load. But we should talk to Brian and Camilo about whether this makes sense and whether it is worth the effort (given the user added an exception for that cert).
Giving this another thought, the code really doesn't belong in nsMixedContentBlocker.cpp, since that code deals with HTTP content, not HTTPS content with invalid certs.
(Trying to clarify summary, since it's not about any cert error)
Summary: UI for HTTPS page that contains HTTPS embedded content that has a cert error → UI for HTTPS page containing content for which the user has overridden an otherwise-invalid cert
You need to log in before you can comment on or make changes to this bug.