[Touch-packages] [Bug 1377194] Re: Various issues with security UI's
An additional issue that’s related to the implementation of the whitelist for invalid certificates that have been overridden for the duration of the session: the whitelist is stored on the webview, so if I open a URL for which the certificate has been previously whitelisted in a new tab, I will get the security warning page again. The whitelist should be stored on the browser object instead, so that all webviews share it for the duration of the session. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1377194 Title: Various issues with security UI's Status in Web Browser App: In Progress Status in “webbrowser-app” package in Ubuntu: In Progress Status in “webbrowser-app” package in Ubuntu RTM: Confirmed Bug description: I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser: - The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateError.isMainFrame !CertificateError.isSubresource). You can't override other errors anyway, and for subframes and subresources it is fine to just block the content (this is how Chrome and Firefox behave). - When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match - When accepting an error, there is no visual cue in the header bar that you're on a site with security errors. - If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateError.cancelled signal for this purpose - I'm not sure if you're using it or not - There doesn't seem to be any indicator when you go to a site that has an EV certificate To manage notifications about this bug go to: https://bugs.launchpad.net/webbrowser-app/+bug/1377194/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377194] Re: Various issues with security UI's
** Changed in: webbrowser-app (Ubuntu) Assignee: (unassigned) = Olivier Tilloy (osomon) ** Changed in: webbrowser-app (Ubuntu RTM) Assignee: (unassigned) = Olivier Tilloy (osomon) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1377194 Title: Various issues with security UI's Status in Web Browser App: In Progress Status in “webbrowser-app” package in Ubuntu: In Progress Status in “webbrowser-app” package in Ubuntu RTM: Confirmed Bug description: I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser: - The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateError.isMainFrame !CertificateError.isSubresource). You can't override other errors anyway, and for subframes and subresources it is fine to just block the content (this is how Chrome and Firefox behave). - When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match - When accepting an error, there is no visual cue in the header bar that you're on a site with security errors. - If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateError.cancelled signal for this purpose - I'm not sure if you're using it or not - There doesn't seem to be any indicator when you go to a site that has an EV certificate To manage notifications about this bug go to: https://bugs.launchpad.net/webbrowser-app/+bug/1377194/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377194] Re: Various issues with security UI's
When accepting an error, there is no visual cue in the header bar that you're on a site with security errors. The design specification doesn’t mention this situation, I’ll request an update. Out of curiosity, I tested firefox and chromium on desktop: firefox just pretends nothing happened if an exception was added (i.e. it says the connection is secure and displays a padlock icon), whereas chromium displays a padlock with a cross over it, and the https part of the address is striked through. Two rather different approaches. ** Also affects: ubuntu-ux Importance: Undecided Status: New ** Summary changed: - Various issues with security UI's + [browser] Various issues with security UI's -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1377194 Title: [browser] Various issues with security UI's Status in Ubuntu UX bugs: New Status in Web Browser App: In Progress Status in “webbrowser-app” package in Ubuntu: In Progress Status in “webbrowser-app” package in Ubuntu RTM: Confirmed Bug description: I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser: - The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateError.isMainFrame !CertificateError.isSubresource). You can't override other errors anyway, and for subframes and subresources it is fine to just block the content (this is how Chrome and Firefox behave). - When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match - When accepting an error, there is no visual cue in the header bar that you're on a site with security errors. - If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateError.cancelled signal for this purpose - I'm not sure if you're using it or not - There doesn't seem to be any indicator when you go to a site that has an EV certificate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ux/+bug/1377194/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377194] Re: Various issues with security UI's
** Also affects: webbrowser-app (Ubuntu) Importance: Undecided Status: New ** Changed in: webbrowser-app (Ubuntu) Status: New = In Progress ** Also affects: webbrowser-app (Ubuntu RTM) Importance: Undecided Status: New ** Changed in: webbrowser-app (Ubuntu RTM) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1377194 Title: Various issues with security UI's Status in Web Browser App: In Progress Status in “webbrowser-app” package in Ubuntu: In Progress Status in “webbrowser-app” package in Ubuntu RTM: Confirmed Bug description: I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser: - The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateError.isMainFrame !CertificateError.isSubresource). You can't override other errors anyway, and for subframes and subresources it is fine to just block the content (this is how Chrome and Firefox behave). - When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match - When accepting an error, there is no visual cue in the header bar that you're on a site with security errors. - If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateError.cancelled signal for this purpose - I'm not sure if you're using it or not - There doesn't seem to be any indicator when you go to a site that has an EV certificate To manage notifications about this bug go to: https://bugs.launchpad.net/webbrowser-app/+bug/1377194/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
