Ubuntu
firefox-3.0 package

Firefox 'bad certificate' warning blocks navigation with small secured frames

Bug #236610 reported by Miguel Diago
10
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
Undecided
Unassigned
XULRunner
Invalid
Undecided
Unassigned
firefox-3.0 (Ubuntu)
Invalid
Undecided
Mozilla Bugs
xulrunner-1.9 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: firefox-3.0

When you access a secure webpage whose certificate has been signed by an unknown authority, you are redirected to a warning message and taken out of the website. This can be a problem when there are only some parts of the webpage that are secured, like iframes. In such cases, the alert about using an untrusted certificate can be bigger than the iframe itself and so the user can't click the link to add an exception and continue browsing the website.

For example, to reproduce this:
1. Go to http://www.renfe.es/
2. In the left-hand column, in the "Compra de billetes" box, select one random element from the first roll menu.
3. See how the box becomes "secure" and a cropped security alert is shown in which the bottom link to add an exception can't be accessed.

I will attach an screenshot of the problem.

ProblemType: Bug
Architecture: i386
Date: Sun Jun 1 23:01:58 2008
DistroRelease: Ubuntu 8.04
NonfreeKernelModules: nvidia
Package: firefox-3.0 3.0~b5+nobinonly-0ubuntu3
PackageArchitecture: i386
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=es_ES.UTF-8
 SHELL=/bin/bash
SourcePackage: firefox-3.0
Uname: Linux 2.6.24-17-generic i686

Tags: apport-bug
Revision history for this message
Miguel Diago (mdm) wrote :
Revision history for this message
Milan Bouchet-Valat (nalimilan) wrote :

Thanks for your bug report, and especially for the screenshot. This is actually a problem that should be solved in some way.

Changed in firefox-3.0:
assignee: nobody → desktop-bugs
status: New → Confirmed
Milan Bouchet-Valat (nalimilan)
Changed in firefox-3.0:
assignee: desktop-bugs → mozilla-bugs
Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 236610] [NEW] Firefox behaviour with unknown certificate authorities can block navigation

On Sun, Jun 01, 2008 at 09:06:34PM -0000, Miguel Diago wrote:
> Public bug reported:
>
> Binary package hint: firefox-3.0
>
> When you access a secure webpage whose certificate has been signed by an
> unknown authority, you are redirected to a warning message and taken out
> of the website. This can be a problem when there are only some parts of
> the webpage that are secured, like iframes. In such cases, the alert
> about using an untrusted certificate can be bigger than the iframe
> itself and so the user can't click the link to add an exception and
> continue browsing the website.
>
> For example, to reproduce this:
> 1. Go to http://www.renfe.es/
> 2. In the left-hand column, in the "Compra de billetes" box, select one random element from the first roll menu.
> 3. See how the box becomes "secure" and a cropped security alert is shown in which the bottom link to add an exception can't be accessed.
>

Interesting point. Reed, are you aware if this was also raised
upstream?

 affects firefox
 affects xulrunner

 affects ubuntu/firefox-3.0
 status incomplete
 affects ubuntu/xulrunner-1.9
 status incomplete

 - Alexander

Changed in firefox-3.0:
status: Confirmed → Incomplete
Revision history for this message
Miguel Diago (mdm) wrote :

The website I put as an example has changed the way the box works, and I don't know about any other examples for this bug :(

Revision history for this message
John Vivirito (gnomefreak) wrote : Re: [Bug 236610] Re: Firefox 'bad certificate' warning blocks navigation with small secured frames

Miguel Diago wrote:
> The website I put as an example has changed the way the box works, and I
> don't know about any other examples for this bug :(
>
 Do you mean that the site you were having issues with has fixed the issue?

--
Sincerely Yours,
     John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

Revision history for this message
Milan Bouchet-Valat (nalimilan) wrote :

This is what he means. But many other sites are likely to use this kind of embedded SSL frames - though this behavior is not really recommended as regards security.

Revision history for this message
Raúl Porcel (armin76) wrote :

This is more or less the same problem as with embedded frames, when the frames are from other server and it times out. You can't click on the retry button, like you can't here to add an exception.

Anyway, two bads things for Renfe, first: bad SSL cert, and SSL embedded frames...guess they'll care when firefox-3.0 final is released, or maybe they just tell to use IE.
Thing is, whats the difference on fixing this and fixing embbeded frames timing out? The latter occurs since firefox 1.0 or older...

Revision history for this message
Martin Mai (mrkanister-deactivatedaccount-deactivatedaccount) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in firefox-3.0:
status: Incomplete → Invalid
Changed in xulrunner-1.9:
status: Incomplete → Invalid
Changed in firefox:
status: New → Invalid
Changed in xulrunner:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.