ubuntu-webapps-bugs team mailing list archive
-
ubuntu-webapps-bugs team
-
Mailing list archive
-
Message #01554
[Bug 1377194] [NEW] Various issues with security UI's
Public bug reported:
I've not done a proper review on this yet, but there are a few issues
I've noticed just from using the browser:
- The certificate error UI is displayed for all errors, but it should
only be displayed for main frame document errors
(CertificateError.isMainFrame && !CertificateError.isSubresource). You
can't override other errors anyway, and for subframes and subresources
it is fine to just block the content (this is how Chrome and Firefox
behave).
- When accepting an error, the certificate fingerprint seems to be
whitelisted by the browser. This is not safe - what happens if the user
navigates to a genuinely malicious site that happens to use the same
certificate? If you want to whitelist them, you must also record the
domain that the error originated from and the error code, and only
automatically allow the error if the domain + error code + fingerprints
match
- When accepting an error, there is no visual cue in the header bar that
you're on a site with security errors.
- If you press the stop icon in the addressbar whilst the certificate
error UI is displayed, the pending navigation is cancelled (returning to
the previous committed navigation), but the certificate error UI is not
removed. There is a CertificateError.cancelled signal for this purpose -
I'm not sure if you're using it or not
- There doesn't seem to be any indicator when you go to a site that has
an EV certificate
** Affects: webbrowser-app
Importance: Undecided
Status: New
** Description changed:
I've not done a proper review on this yet, but there are a few issues
I've noticed just from using the browser:
- The certificate error UI is displayed for all errors, but it should
only be displayed for main frame document errors
(CertificateError.isMainFrame && !CertificateError.isSubresource). You
- can't override these errors anyway, and for subframes and subresources
+ can't override other errors anyway, and for subframes and subresources
it is fine to just block the content (this is how Chrome and Firefox
behave).
- When accepting an error, the certificate fingerprint seems to be
whitelisted by the browser. This is not safe - what happens if the user
navigates to a genuinely malicious site that happens to use the same
certificate? If you want to whitelist them, you must also record the
domain that the error originated from and the error code, and only
automatically allow the error if the domain + error code + fingerprints
match
- When accepting an error, there is no visual cue in the header bar that
you're on a site with security errors.
- If you press the stop icon in the addressbar whilst the certificate
error UI is displayed, the pending navigation is cancelled (returning to
the previous committed navigation), but the certificate error UI is not
removed. There is a CertificateError.cancelled signal for this purpose -
I'm not sure if you're using it or not
** Description changed:
I've not done a proper review on this yet, but there are a few issues
I've noticed just from using the browser:
- The certificate error UI is displayed for all errors, but it should
only be displayed for main frame document errors
(CertificateError.isMainFrame && !CertificateError.isSubresource). You
can't override other errors anyway, and for subframes and subresources
it is fine to just block the content (this is how Chrome and Firefox
behave).
- When accepting an error, the certificate fingerprint seems to be
whitelisted by the browser. This is not safe - what happens if the user
navigates to a genuinely malicious site that happens to use the same
certificate? If you want to whitelist them, you must also record the
domain that the error originated from and the error code, and only
automatically allow the error if the domain + error code + fingerprints
match
- When accepting an error, there is no visual cue in the header bar that
you're on a site with security errors.
- If you press the stop icon in the addressbar whilst the certificate
error UI is displayed, the pending navigation is cancelled (returning to
the previous committed navigation), but the certificate error UI is not
removed. There is a CertificateError.cancelled signal for this purpose -
I'm not sure if you're using it or not
+
+ - There doesn't seem to be any indicator when you go to a site that has
+ an EV certificate
--
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to webbrowser-app.
https://bugs.launchpad.net/bugs/1377194
Title:
Various issues with security UI's
Status in Web Browser App:
New
Bug description:
I've not done a proper review on this yet, but there are a few issues
I've noticed just from using the browser:
- The certificate error UI is displayed for all errors, but it should
only be displayed for main frame document errors
(CertificateError.isMainFrame && !CertificateError.isSubresource). You
can't override other errors anyway, and for subframes and subresources
it is fine to just block the content (this is how Chrome and Firefox
behave).
- When accepting an error, the certificate fingerprint seems to be
whitelisted by the browser. This is not safe - what happens if the
user navigates to a genuinely malicious site that happens to use the
same certificate? If you want to whitelist them, you must also record
the domain that the error originated from and the error code, and only
automatically allow the error if the domain + error code +
fingerprints match
- When accepting an error, there is no visual cue in the header bar
that you're on a site with security errors.
- If you press the stop icon in the addressbar whilst the certificate
error UI is displayed, the pending navigation is cancelled (returning
to the previous committed navigation), but the certificate error UI is
not removed. There is a CertificateError.cancelled signal for this
purpose - I'm not sure if you're using it or not
- There doesn't seem to be any indicator when you go to a site that
has an EV certificate
To manage notifications about this bug go to:
https://bugs.launchpad.net/webbrowser-app/+bug/1377194/+subscriptions
Follow ups
References
