Closed Bug 921378 Opened 11 years ago Closed 10 years ago

No warning when HTTPS page redirects DOWNLOAD to HTTP

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
24 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 444973

People

(Reporter: f201052, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130910160258

Steps to reproduce:

GET https://www.x-ways.net/winhex.zip [HTTP/1.1 302 Found 115ms]
GET http://www.x-ways.net/cgi-bin/winhex.cgi [HTTP/1.1 302 Found 55ms]
GET http://www.muenster.de/~sf/winhex.zip [HTTP/1.1 200 OK 3170ms]


Actual results:

For normal browsing this is not a problem, because the user sees in the URL bar that the connection is not encrypted. But for downloads this is invisible to the user.

No warning generated about secure page being redirected to insecure page. Users misled into believing they downloaded from a secure URL. Allows for easy hard-to-notice MITM attacks.


Expected results:

A warning about being redirected from insecure to secure page should have been displayed (or Ok/Cancel prompt shown).
Severity: normal → major
Component: Untriaged → Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.