webbrowser-app

[browser] Various issues with security UI's

Bug #1377194 reported by Chris Coulson on 2014-10-03

262

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Canonical System Image	Fix Released	Undecided	Olivier Tilloy	Canonical System Image ww05-2015
Ubuntu UX	Fix Released	High	Rae Shambrook
webbrowser-app	Fix Released	High	Olivier Tilloy
webbrowser-app (Ubuntu)	Fix Released	Undecided	Olivier Tilloy
webbrowser-app (Ubuntu RTM)	Fix Released	Undecided	Olivier Tilloy

Bug Description

I've not done a proper review on this yet, but there are a few issues I've noticed just from using the browser:

- The certificate error UI is displayed for all errors, but it should only be displayed for main frame document errors (CertificateError.isMainFrame && !CertificateError.isSubresource). You can't override other errors anyway, and for subframes and subresources it is fine to just block the content (this is how Chrome and Firefox behave).

- When accepting an error, the certificate fingerprint seems to be whitelisted by the browser. This is not safe - what happens if the user navigates to a genuinely malicious site that happens to use the same certificate? If you want to whitelist them, you must also record the domain that the error originated from and the error code, and only automatically allow the error if the domain + error code + fingerprints match

- When accepting an error, there is no visual cue in the header bar that you're on a site with security errors.

- If you press the stop icon in the addressbar whilst the certificate error UI is displayed, the pending navigation is cancelled (returning to the previous committed navigation), but the certificate error UI is not removed. There is a CertificateError.cancelled signal for this purpose - I'm not sure if you're using it or not

- There doesn't seem to be any indicator when you go to a site that has an EV certificate

--- UX Comment ---
Additional wireframe for top bar displaying warning when certificate identity is not verified
https://docs.google.com/a/canonical.com/presentation/d/1Qrd4Flfs3EH-fI79IfrYgLdAx2nce-L7ve8NKLCX324/edit#slide=id.g3503834cf_01

For EV certificate, just display EV information in the pop-over

See original description

Tags:

Related branches

lp:~osomon/webbrowser-app/certificate-error-fixes

Merged into lp:webbrowser-app at revision 847

PS Jenkins bot: Needs Fixing (continuous-integration) on 2014-12-11

Chris Coulson: Approve on 2014-12-09

Michael Sheldon: Pending requested 2014-12-05

Ubuntu Phablet Team: Pending requested 2014-12-05

lp:ubuntu/vivid-proposed/webbrowser-app

lp:webbrowser-app/rtm-14.09

Chris Coulson (chrisccoulson) on 2014-10-03

description:	updated
description:	updated

Revision history for this message

Chris Coulson (chrisccoulson) wrote on 2014-10-03:

For point 4, there is actually an Oxide bug too (bug 1377198)

Olivier Tilloy (osomon) on 2014-10-03

Changed in webbrowser-app:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Michael Sheldon (michael-sheldon)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-10-03:

Marking with ota-1-- we'd ideally have this for rtm, but it is ok if it comes in an OTA update. If ota-1 is too aggressive, feel free to adjust. Thanks!

information type:	Public → Public Security
tags:	added: rtm14
tags:	added: ota-1 removed: rtm14

Olivier Tilloy (osomon) on 2014-11-11

Changed in webbrowser-app:
assignee:	Michael Sheldon (michael-sheldon) → Olivier Tilloy (osomon)

Olivier Tilloy (osomon) on 2014-11-11

Changed in webbrowser-app:
status:	Triaged → In Progress

Olivier Tilloy (osomon) on 2014-11-12

Changed in webbrowser-app (Ubuntu):
status:	New → In Progress
Changed in webbrowser-app (Ubuntu RTM):
status:	New → Confirmed

Revision history for this message

Olivier Tilloy (osomon) wrote on 2014-11-21:

An additional issue that’s related to the implementation of the whitelist for invalid certificates that have been overridden for the duration of the session: the whitelist is stored on the webview, so if I open a URL for which the certificate has been previously whitelisted in a new tab, I will get the security warning page again. The whitelist should be stored on the browser object instead, so that all webviews share it for the duration of the session.

Olivier Tilloy (osomon) on 2014-11-21

Changed in webbrowser-app (Ubuntu):
assignee:	nobody → Olivier Tilloy (osomon)
Changed in webbrowser-app (Ubuntu RTM):
assignee:	nobody → Olivier Tilloy (osomon)

Revision history for this message

Olivier Tilloy (osomon) wrote on 2014-11-21:

> When accepting an error, there is no visual cue in the header bar that you're on a site with security errors.

The design specification doesn’t mention this situation, I’ll request an update. Out of curiosity, I tested firefox and chromium on desktop: firefox just pretends nothing happened if an exception was added (i.e. it says the connection is secure and displays a padlock icon), whereas chromium displays a padlock with a cross over it, and the "https" part of the address is striked through. Two rather different approaches.

summary:

- Various issues with security UI's
+ [browser] Various issues with security UI's

Revision history for this message

Olivier Tilloy (osomon) wrote on 2014-11-21:

Added an ubuntu-ux task to the bug report so that design can chime in on those two points:

- When accepting an error, there is no visual cue in the header bar that you're on a site with security errors.

- There doesn't seem to be any indicator when you go to a site that has an EV certificate

Revision history for this message

Olivier Tilloy (osomon) wrote on 2014-11-24:

I’ve just tested chrome on android, and I’m not seeing any difference in the way EV certificates are displayed to the user (with respect to normal certificates). On desktop and tablets the name of the organization is displayed on the left of the URL, but obviously on phones there’s not enough real-estate in the address bar.

@Chris: any suggestion on how to visually differentiate normal certificates and EV ones?

Giorgio Venturi (giorgio-venturi-deactivatedaccount) on 2014-11-24

Changed in ubuntu-ux:
status:	New → Triaged
assignee:	nobody → Giorgio Venturi (giorgio-venturi)
importance:	Undecided → High

Giorgio Venturi (giorgio-venturi-deactivatedaccount) on 2014-11-24

description:	updated
Changed in ubuntu-ux:
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-12-15:

This bug was fixed in the package webbrowser-app - 0.23+15.04.20141212.1-0ubuntu1

---------------
webbrowser-app (0.23+15.04.20141212.1-0ubuntu1) vivid; urgency=low

  [ Olivier Tilloy ]
  * Optimize the capture functionality. (LP: #1359293, #1401045)
  * Record host and error code along with certificate fingerprint when
    whitelisting a certificate error. (LP: #1377194)
-- Ubuntu daily release <email address hidden> Fri, 12 Dec 2014 17:23:40 +0000

Changed in webbrowser-app (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Olivier Tilloy (osomon) wrote on 2014-12-15:

I’m now closing this bug. I filed bug #1402723 and bug #1402725 to track points 3 and 5 in the original description separately.

Changed in webbrowser-app:
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-01-16:

This bug was fixed in the package webbrowser-app - 0.23+15.04.20141218~rtm-0ubuntu1

---------------
webbrowser-app (0.23+15.04.20141218~rtm-0ubuntu1) 14.09; urgency=low

  [ Leo Arias ]
  * Refactor the address bar autopilot helpers so they can be used from
    external test cases.
  * Expose on the autopilot helpers the back and forward functionality.

[ Olivier Tilloy ]
* Update translation template.
-- Ubuntu daily release <email address hidden> Thu, 18 Dec 2014 18:40:11 +0000

Changed in webbrowser-app (Ubuntu RTM):
status:	Confirmed → Fix Released

Pat McGowan (pat-mcgowan) on 2015-01-16

Changed in canonical-devices-system-image:
milestone:	none → ww05-2015
status:	New → Fix Released

Olivier Tilloy (osomon) on 2015-01-19

Changed in canonical-devices-system-image:
assignee:	nobody → Olivier Tilloy (osomon)

Magdalena Mirowicz (magdalena-mirowicz) on 2015-04-08

Changed in ubuntu-ux:
assignee:	Giorgio Venturi (giorgio-venturi) → Rae Shambrook (raecontreras)

Rae Shambrook (raecontreras) on 2015-04-09

Changed in ubuntu-ux:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.