https://bugs.kde.org/show_bug.cgi?id=420902
Bug ID: 420902
Summary: Site info falsely claims that connection is secure
after certificate exception
Product: Falkon
Version: unspecified
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
When opening https://expired.badssl.com/ and granting a certificate exception,
the site info panel (when clicking the site's favicon) claims "Your connection
to this site is *secured*" despite that not being the case.
When loading the site again in a new tab (or even just reloading it),
QtWebEngine remembers the certificate exemption and doesn't ask again - those
two things combined might provide users with a false sense of security that a
connection is secure, despite that not being the case.
I noticed this while fixing a similar issue in qutebrowser:
https://github.com/qutebrowser/qutebrowser/issues/5403
While I consider this a security-relevant bug (and will request a CVE for
qutebrowser), there's nothing to be exploited by a bad actor, hence I'm opening
this publicly.
This is on Archlinux, with Qt 5.14.2 and Falkon 3.1.0.
--
You are receiving this mail because:
You are watching all bug changes.