Open Bug 906069 Opened 10 years ago Updated 4 months ago

firefox accepts insecure content in TLS/SSL connections and does not even warn about it

Categories

(Firefox :: Security, defect)

23 Branch
defect

Tracking

()

People

(Reporter: calestyo, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 (Beta/Release)
Build ID: 20130807022136

Steps to reproduce:

When one accesses TLS/SSL secured content from a website, FF accepts all kinds unsecured of content (e.g. images) both without blocking such content and adequately warning the users.

This is another case of Mozilla ridiculously handling security and completely breaks the use of SSL/TLS.


It's generally not up to Mozilla (how arrogant can you be?!) to decide which content may be security relevant and which not. Images for example may very well be security relevant.


It's unbelievable how you break long and well established standards and allow websites to contain unsecured content without even warning the user.
And for that content-types where warn the user, that small shield which no one really sees is like a bad joke.

General rule how things must work:
If https is chosen and unsecured content is to be rendered:
- warn the user
- if the user makes no explicit exception, block that content
- and only if he does, render the unsecure content
Severity: normal → critical
OS: Linux → All
Hardware: x86_64 → All
Severity: critical → normal
Component: Untriaged → Security
Reproe'd.

Again, comparing with Chrome: Chrome shows a padlock with a yellow triangle, mentioning that some resources come through unencrypted.

(a) Clicking through on the page info, it *does* mention that the connection is partially encrypted. So FF is noticing this, even if it's not displaying it. Relevant code: http://mxr.mozilla.org/mozilla-central/source/browser/base/content/pageinfo/security.js#35. We probably should show a different icon here, with some extra text on click.
(b) Allowing mixed content without confirmation should at least be a user preference. If we should enable it by default -- well, that's a separate discussion.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Manish Goregaokar [:manishearth] from comment #1)
> (b) Allowing mixed content without confirmation should at least be a user
> preference. If we should enable it by default -- well, that's a separate
> discussion.

Isn't it the same as Chrome? AFAIK the only difference is the icon. We do not display padlock icon for mixed content. Is it meaningful to distinguish mixed content from unencrypted-at-all content?
> Isn't it the same as Chrome? AFAIK the only difference is the icon. We do
> not display padlock icon for mixed content. 

Yep.

>Is it meaningful to distinguish mixed content from unencrypted-at-all content?

(a) Insecure JS loaded by HTTP can be modified by an MITM just as easily as a normal MITM on an HTTP page

(b) There's the issue of tracking too (which I don't mind but others do find it a serious issue), when one fetches a resource by HTTPS only the domain is unencrypted, but if one uses HTTP the URL, GET/POST params, and content are unencrypted and visible.
Hmm, apparently FF blocks "active" (JS, etc) mixed content, but allows passive stuff like images[1]. In that case only (b) applies.



[1]: https://developer.mozilla.org/en-US/docs/Security/MixedContent
For a lot of details on Firefox's Mixed Content Blocker, you can see my blog post here - 
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

To address some of the issues stated in this bug -
* Firefox 23+ blocks Mixed Active Content
* A user can block Mixed Display/Passive Content by updating an about:config pref (https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#footnote2).  The blog goes into detail about why we don't do this by default.
* When a user disables protection and mixed active content is loaded, they see a orange triangle instead of padlock: https://people.mozilla.org/~tvyas/FigureD.jpg
* When a user visits a page with mixed display content, they see a grey globe in FF 25 and prior.  In FF26, we change this grey globe to a grey triangle (see bug https://bugzilla.mozilla.org/show_bug.cgi?id=865352)
* Chrome and Internet Explorer also have mixed content blockers.  They do not block passive content but they block active content.  The definitions of "active" vs "passive" differ slightly between each browser.  The UI also differs.

What are the actions/issues/problems for this bug specifically?
Well all of what you write is basically moot.

It's as simple as I wrote:
- Unless a user explicitly allows it (either temporarily, or permanently), mixed content, regardless of whether Mozilla has decided it is "active" or not (any as said, you can never really know, whether content is important for a specific system or not).

- The default should obviously be the secure choice (i.e. generally block such content and/or stop loading the site altogether).

- If such mixed content is encountered, all bells and whistles should start screaming, and not just some small icons that nobody looks at.


Whether and what IE, Chromium or others are doing is completely irrelevant. If they add a backdoor for the NSA, would you do so as well? If they'd decide to run their browsers only as root, would you as well?


And generally, repeating myself as in several other security related bugs,... "you" (i.e. Mozilla) has a very deep and serious problem with respect to how you (not-)understand security.
Especially in the recent events around the NSA/friends where all of the worst paranoias seem to come true, you should really come to a point where you not only understand that you need to push the new strong algos/modes and quickly deprecate (and warn the users) of old ones like TLS < 1.2...but that you also need a totally different handling of security with respect to higher levels (like this, that you really completely break the point of TLS by allowing unsafe content)... it's extremely disturbing how wrong Mozilla is doing security in this and many other ways just to make things "easy".
Looks like there already is a `security.mixed_content.block_display_content` option.
(In reply to Christoph Anton Mitterer from comment #6)


 
> - The default should obviously be the secure choice (i.e. generally block
> such content and/or stop loading the site altogether).

With that logic FF should just stop accepting HTTP by default and make it a config option. Blocking Mixed Passive content is going to break many, many sites. Mixed active content already does, but not as much as what will happen when M.P.C. is blocked. Because many https website owners don't care about this part, or they can't help it. Images and other passive content are not necessarily served by the same host, getting all your content providers to switch to https is hard. So we have a very large number of sites on the Net that allow this.


> - If such mixed content is encountered, all bells and whistles should start
> screaming, and not just some small icons that nobody looks at.

This somehow reminds me of Vista asking for permission every two seconds.


> Whether and what IE, Chromium or others are doing is completely irrelevant.
> If they add a backdoor for the NSA, would you do so as well? If they'd
> decide to run their browsers only as root, would you as well?
> 
> 
> And generally, repeating myself as in several other security related
> bugs,... "you" (i.e. Mozilla) has a very deep and serious problem with
> respect to how you (not-)understand security.

Alright, so explain the issues with not blocking MPC by default. There are only two issues in my mind:

(a) Tracking: The URL of the exact image is tracked (which can be backtracked to the URL of the https page visited if that image is only used on a couple of pages). There's not *much* extra tracking that can be done here, it seems.
(b) Cookies: If the image is being loaded on the same domain but on http, and the site owner forgets to use secure-only cookies, the session can be stolen. 

(b) is arguably something the site owner needs to fix. (a) seems valid, however it's not what the average Net user wants, I think. IMHO a user who wants to disable it should just do so via the option; breaking half the web by default just to prevent an unreliable form of tracking seems  a bit much.

A lot of these things are the duty of the website owner, not the browser. 


http://abstrusegoose.com/536
What about adware that replaces images on a page? Or images, that are relevant for the user to interact (like captcha or QR-Codes)?
I agree with the reporter, that mixed passive content should be blocked by default. Mozilla already called HTTP as deprecated [1]. I hope that 893533 can be fixed soon, to have an UI for MPC.

[1] https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.