https://bugs.kde.org/show_bug.cgi?id=420902

            Bug ID: 420902
           Summary: Site info falsely claims that connection is secure
                    after certificate exception
           Product: Falkon
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

When opening https://expired.badssl.com/ and granting a certificate exception,
the site info panel (when clicking the site's favicon) claims "Your connection
to this site is *secured*" despite that not being the case.

When loading the site again in a new tab (or even just reloading it),
QtWebEngine remembers the certificate exemption and doesn't ask again - those
two things combined might provide users with a false sense of security that a
connection is secure, despite that not being the case.

I noticed this while fixing a similar issue in qutebrowser:
https://github.com/qutebrowser/qutebrowser/issues/5403

While I consider this a security-relevant bug (and will request a CVE for
qutebrowser), there's nothing to be exploited by a bad actor, hence I'm opening
this publicly.

This is on Archlinux, with Qt 5.14.2 and Falkon 3.1.0.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to