Ubuntu
epiphany-browser package

epiphany (webkit) doesn't clearly warn about invalid SSL certificates

Bug #589877 reported by Jamie Strandboge
280
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Epiphany Browser
Invalid
Medium
epiphany-browser (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Binary package hint: epiphany-browser

Going to the following URL should prompt the user stating the certificate can't be trusted:
https://www.cacert.org/index.php?id=1

This has been verified on karmic, lucid and the webkit in the ubuntu-mozila-security PPA. This does not seem to be a problem (though it could be a problem with the gtk port) with webkit because going to the same URL in arora (which uses libqt4-webkit) works ok. midori (which also uses libwebkit-1.0-2) is also affected.

Jamie Strandboge (jdstrand)
visibility: private → public
Changed in epiphany-browser (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in epiphany-browser (Ubuntu):
importance: Undecided → Critical
Jamie Strandboge (jdstrand)
Changed in epiphany-browser (Ubuntu):
importance: Critical → High
Revision history for this message
Jeremy Nickurak (nickurak) wrote :

Note that you should see a broken "lock" in the bottom-left, but a warning dialog akin to firefox/chrome's is very important to protect sensitive information.

Pedro Villavicencio (pedro)
Changed in epiphany-browser (Ubuntu):
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
status: Unknown → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

https://www.cacert.org/index.php?id=1 does not display a broken lock, but instead a locked lock.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I should also mention that there doesn't seem to be a way to import a CA. Eg, one test I perform for xulrunner updates is:
1. go to https://www.cacert.org/index.php?id=1 and verify the browser prompts for untrusted certificate
2. go to http://www.cacert.org/certs/root.crt to import the certificate
3. go to https://www.cacert.org/index.php?id=1 and verify the browser does not prompt

1 and 2 do not work with epiphany/webkit, but do with epiphany/gecko.

Revision history for this message
Jeremy Nickurak (nickurak) wrote : Re: [Bug 589877] Re: epiphany (webkit) does not verify SSL certificates

Hmm... likewise here.

How does epiphany decide what certificates to trust? It certainly rejects
https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/...

On Mon, Jun 7, 2010 at 11:24, Jamie Strandboge <email address hidden> wrote:

> https://www.cacert.org/index.php?id=1 does not display a broken lock,
> but instead a locked lock.
>
> --
> epiphany (webkit) does not verify SSL certificates
> https://bugs.launchpad.net/bugs/589877
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Jeremy Nickurak -= Email/XMPP: <email address hidden> =-

Revision history for this message
Jeremy Nickurak (nickurak) wrote :

Importing certificates is a different bug,
https://bugs.launchpad.net/ubuntu/+source/epiphany-extensions/+bug/42476 .
epiphany/gecko is unrelated, as it's entirely obsolete, deprecated, and
unsupported, afaik.

On Mon, Jun 7, 2010 at 11:30, Jamie Strandboge <email address hidden> wrote:

> I should also mention that there doesn't seem to be a way to import a CA.
> Eg, one test I perform for xulrunner updates is:
> 1. go to https://www.cacert.org/index.php?id=1 and verify the browser
> prompts for untrusted certificate
> 2. go to http://www.cacert.org/certs/root.crt to import the certificate
> 3. go to https://www.cacert.org/index.php?id=1 and verify the browser does
> not prompt
>
> 1 and 2 do not work with epiphany/webkit, but do with epiphany/gecko.
>
> --
> epiphany (webkit) does not verify SSL certificates
> https://bugs.launchpad.net/bugs/589877
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Jeremy Nickurak -= Email/XMPP: <email address hidden> =-

Revision history for this message
Jeremy Nickurak (nickurak) wrote :

It looks like newer epiphany uses the system-wide certificate pool in
/etc/ssl/certs, which (on my system) includes cacert.

It's still the case that this notification (for the bottom-left) is a tiny,
and insufficient warning that you're leaving a safe transmission medium.

On Mon, Jun 7, 2010 at 11:45, Jeremy Nickurak <email address hidden> wrote:

> Importing certificates is a different bug,
> https://bugs.launchpad.net/ubuntu/+source/epiphany-extensions/+bug/42476 .
> epiphany/gecko is unrelated, as it's entirely obsolete, deprecated, and
> unsupported, afaik.
>
>
> On Mon, Jun 7, 2010 at 11:30, Jamie Strandboge <email address hidden> wrote:
>
>> I should also mention that there doesn't seem to be a way to import a CA.
>> Eg, one test I perform for xulrunner updates is:
>> 1. go to https://www.cacert.org/index.php?id=1 and verify the browser
>> prompts for untrusted certificate
>> 2. go to http://www.cacert.org/certs/root.crt to import the certificate
>> 3. go to https://www.cacert.org/index.php?id=1 and verify the browser
>> does not prompt
>>
>> 1 and 2 do not work with epiphany/webkit, but do with epiphany/gecko.
>>
>> --
>> epiphany (webkit) does not verify SSL certificates
>> https://bugs.launchpad.net/bugs/589877
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>
>
>
> --
> Jeremy Nickurak -= Email/XMPP: <email address hidden> =-
>
>

--
Jeremy Nickurak -= Email/XMPP: <email address hidden> =-

summary: - epiphany (webkit) does not verify SSL certificates
+ epiphany (webkit) doesn't clearly warn about invalid SSL certificates
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I can confirm that https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/ does show the broken lock, and agree it is not nearly enough of a warning. Turning the location bar red might be an easy way to implement this, but the confirmation dialog would be better IMHO.

I brought up gecko only to illustrate that pushing epiphany/webkit as is to Ubuntu 8.04 LTS would be a regression for those users.

I made note of the certificate import issue, and can add it to the USN when epiphany is pushed to hardy.

Revision history for this message
Jeremy Nickurak (nickurak) wrote :

Upstream marked as duplicate.

Changed in epiphany-browser:
status: New → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
importance: Unknown → Critical
Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
importance: Critical → Medium
Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
status: Confirmed → Invalid
Yo (yleduc)
Changed in epiphany-browser (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.