touch-packages team mailing list archive

Thread
Date
[Bug 1377194] Re: [browser] Various issues with security UI's

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Giorgio Venturi <giorgio.venturi@xxxxxxxxxxxxx>
Date: Mon, 24 Nov 2014 15:18:51 -0000
Reply-to: Bug 1377194 <1377194@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Description changed:

  I've not done a proper review on this yet, but there are a few issues
  I've noticed just from using the browser:
  
  - The certificate error UI is displayed for all errors, but it should
  only be displayed for main frame document errors
  (CertificateError.isMainFrame && !CertificateError.isSubresource). You
  can't override other errors anyway, and for subframes and subresources
  it is fine to just block the content (this is how Chrome and Firefox
  behave).
  
  - When accepting an error, the certificate fingerprint seems to be
  whitelisted by the browser. This is not safe - what happens if the user
  navigates to a genuinely malicious site that happens to use the same
  certificate? If you want to whitelist them, you must also record the
  domain that the error originated from and the error code, and only
  automatically allow the error if the domain + error code + fingerprints
  match
  
  - When accepting an error, there is no visual cue in the header bar that
  you're on a site with security errors.
  
  - If you press the stop icon in the addressbar whilst the certificate
  error UI is displayed, the pending navigation is cancelled (returning to
  the previous committed navigation), but the certificate error UI is not
  removed. There is a CertificateError.cancelled signal for this purpose -
  I'm not sure if you're using it or not
  
  - There doesn't seem to be any indicator when you go to a site that has
  an EV certificate
+ 
+ --- UX Comment ---
+ Additional wireframe for top bar displaying warning when certificate identity is not verified
+ https://docs.google.com/a/canonical.com/presentation/d/1Qrd4Flfs3EH-fI79IfrYgLdAx2nce-L7ve8NKLCX324/edit#slide=id.g3503834cf_01
+ 
+ For EV certificate, just display EV information in the pop-over

** Changed in: ubuntu-ux
       Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1377194

Title:
  [browser] Various issues with security UI's

Status in Ubuntu UX bugs:
  Fix Committed
Status in Web Browser App:
  In Progress
Status in “webbrowser-app” package in Ubuntu:
  In Progress
Status in “webbrowser-app” package in Ubuntu RTM:
  Confirmed

Bug description:
  I've not done a proper review on this yet, but there are a few issues
  I've noticed just from using the browser:

  - The certificate error UI is displayed for all errors, but it should
  only be displayed for main frame document errors
  (CertificateError.isMainFrame && !CertificateError.isSubresource). You
  can't override other errors anyway, and for subframes and subresources
  it is fine to just block the content (this is how Chrome and Firefox
  behave).

  - When accepting an error, the certificate fingerprint seems to be
  whitelisted by the browser. This is not safe - what happens if the
  user navigates to a genuinely malicious site that happens to use the
  same certificate? If you want to whitelist them, you must also record
  the domain that the error originated from and the error code, and only
  automatically allow the error if the domain + error code +
  fingerprints match

  - When accepting an error, there is no visual cue in the header bar
  that you're on a site with security errors.

  - If you press the stop icon in the addressbar whilst the certificate
  error UI is displayed, the pending navigation is cancelled (returning
  to the previous committed navigation), but the certificate error UI is
  not removed. There is a CertificateError.cancelled signal for this
  purpose - I'm not sure if you're using it or not

  - There doesn't seem to be any indicator when you go to a site that
  has an EV certificate

  --- UX Comment ---
  Additional wireframe for top bar displaying warning when certificate identity is not verified
  https://docs.google.com/a/canonical.com/presentation/d/1Qrd4Flfs3EH-fI79IfrYgLdAx2nce-L7ve8NKLCX324/edit#slide=id.g3503834cf_01

  For EV certificate, just display EV information in the pop-over

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-ux/+bug/1377194/+subscriptions