Closed
Bug 121361
Opened 23 years ago
Closed 23 years ago
Navigator: Untrustable security information due to incomplete navigator tab support
Categories
(Core Graveyard :: Security: UI, defect, P4)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 101723
psm2.2
People
(Reporter: dolmen, Assigned: ssaux)
Details
(Keywords: privacy)
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.7) Gecko/20011221
BuildID: 2001122106
In Mozilla 0.9.7 you can not trust security information when using navigator
tabs due to incomplete support of navigator tabs:
- in the security tab in page info
- the "secure/insecure" icon of the Navigator status bar always displays the
status the first Navigator tab instead of the current tab as expected.
- when clicking on the "secure/unsecure" icon, the Page Info of the first tab is
shown instead of the Page Info of the current tab as expected.
This is a major security problem.
This bug is for tracking the general issue.
I will create two bugs (see dependencies) for tracking :
- the Page Info/security tab
- the "secure/insecure" icon
This is a GUI problem that will probably only require XUL fixes.
Reproducible: Always
Steps to Reproduce:
- New navigator window: http://slashdot.org/
- New navigator tab: https://agia.fsf.org/ (note that it is HTTP over SSL).
Check the Accept the certificate (the bug is not related to that).
From now, all the tests are when the FSF page is displayed.
Problem : the "secure/insecure" icon of the status bar is shown as insecure
(unlocked). It should be "secure".
- Right-click the page, "Page Info", "Security" tab.
Problem : the lower part of the tab says "Connection Not Encrypted. The web site
slashdot.org does not support encryption..." This is wrong as the information
should refer to the FSF page. The other tabs of the Page Info window correctly
referer to the FSF page.
- Click the "secure/insecure" icon of the status bar.
Problem: all tabs of the "Page Info" window show information about the first
Navigator tab (slashdot). They should show information about the FSF page.
Do the other way, now.
- New navigator window: https://agia.fsf.org/
- New navigator tab: http://slashdot.org/
From now all the test are done when the Slashdot page is displayed.
Problem : the "secure/insecure" icon of the status bar is shown as secure
(locked). It should be "insecure" as Slashdot is not https.
- Right-click the page, "Page Info", "Security" tab.
Problem : the top part says "Web Site Identity Verified. The web site
slashdot.org support authentification for the page you are viewing. The identity
of this web site has been verified by Free Software Foundation, a certificate
authority you trust for this purpose." It should says that the web site identity
was not verified. However it seems to refer to the FSF page but with the Slahdot
host inserted. Big confusion!
Problem : the lower part says "Connection Encrypted: High grade encryption (RC4
128bit) . The page you are viewing was encrypted before being tranmitted over
the Internet."
It should says that the connection is not encrypted.
The other tabs are ok.
- Click the "secure/insecure" icon of the status bar.
Problem: all tabs of the "Page Info" window show information about the first
Navigator tab (slashdot). They should show information about the FSF page.
- Swith to the first tab (with the FSF page)
- Close the tab (with the close icon). The slashdot page is now the only page in
this window.
- Right-click the page, "Page Info", "Security" tab.
Problem : the top part still says "Web Site Identity Verified. The web site
slashdot.org support authentification for the page you are viewing. The identity
of this web site has been verified by Free Software Foundation, a certificate
authority you trust for this purpose."
We are in a case where the security tab show information about a site that is
not even shown anywhere!
I also verified the bug with other sites than slashdot.org/agia.fsf.org.
Reporter | ||
Comment 1•23 years ago
|
||
I found the bug 101723 that already deals about the "lock" icon.
I created the bug 121362 to track the "Page Info"/"Security Tab" problem.
Added the 'privacy' keyword as in bug 101723.
Updated•23 years ago
|
Comment 2•23 years ago
|
||
->PSM.
Reporter, what is a "navigator tab?" Do you mean a sidebar panel? Or a frame?
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: other → 2.2
Assignee | ||
Comment 3•23 years ago
|
||
This is tabbed browsing.
All issues of this bug are covered by other bugs.
Marking is dupe of 101723.
The bottom line is that if you're concerned about security, you shouldn't used
tabbed browsing.
*** This bug has been marked as a duplicate of 101723 ***
Reporter | ||
Comment 4•23 years ago
|
||
Mitchell: a navigator tab is what you get with menu File/New/Navigator Tab in
Navigator (or Ctrl+T)
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•