Single sign on page doesn't look secure

Bug #637649 reported by Alan Pope 🍺🐧🐱 🦄
292
This bug affects 7 people
Affects Status Importance Assigned to Milestone
rhythmbox (Ubuntu)
Triaged
Undecided
Unassigned
software-center (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

When you buy software in Ubuntu Software Center, or music in Rhythmbox, there's no indication that the connection is secure. I'd be concerned about buying software from a store that doesn't use SSL for their logon screen.

<https://wiki.ubuntu.com/SoftwareCenter#security>: "The “View” menu should contain a “Security Info” item that is insensitive by default ... Whenever the page is encrypted and the certificate is okay, at the trailing end of the navigation bar should be a padlock icon with the label “Secure”, and the “Security Info” item should be sensitive. If you choose either of those, a “Security Info” window should open with text “The connection to the store is encrypted.” and information about the connection and certificate."

Revision history for this message
Alan Pope 🍺🐧🐱 🦄 (popey) wrote :
Revision history for this message
Matthew Paul Thomas (mpt) wrote :

In Web browsers showing whether something is secure is the browser's job, because the Web site could fake it (or be mistaken more easily than the browser). I think the same principle should apply here: security should be shown in the chrome, not in the SSO page.

An ideal fix will need to wait until bug 618817 is fixed, but a simple fix now would be to stick a padlock icon in the status bar of the payment window.

Changed in software-center (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Fabián Rodríguez (magicfab) wrote :

@mpt I felt the same as Alan, and I like the link (although at bottom) that explain who the payment processor was, inviting me to find out more. Having that link at the top would also help, IMO.

Revision history for this message
Thomas Horsten (thomas-horsten) wrote :

I woudn't entirely agree that this is a duplicate of bug #637649 since that was reported specifically for the payment page. We users are conditioned (hopefully) to always check SSL info for pages where we enter our credit card details, and I think that for the purposes of the credit card page what I wrote on bug #637649 applies:

I would suggest to address this issue adding a status bar with a green icon and "You are connected to http://xxx.com using a secure connection, click here to verify certificate" (or a red icon and "This connection is not secure, click for details", as the case might be)

Revision history for this message
Thomas Horsten (thomas-horsten) wrote :

bug #637649 in the above should have been bug #656419, sorry copy paste error..

Revision history for this message
Thomas Horsten (thomas-horsten) wrote :

Also, unless someone can say for sure that the embedded browser would reject non-HTTPS pages or pages with invalid SSL certs, I think this should be marked as a security bug, so doing that.

security vulnerability: no → yes
abubakar (bakarms)
Changed in canonical-identity-provider:
assignee: nobody → abubakar (bakarms)
Omer Akram (om26er)
Changed in canonical-identity-provider:
assignee: abubakar (bakarms) → Omer Akram (om26er)
assignee: Omer Akram (om26er) → nobody
Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

This needs to be done in the client app. Marking as invalid for sso.

Changed in canonical-identity-provider:
status: New → Invalid
tags: added: client-server
Changed in software-center (Ubuntu):
assignee: nobody → Matthew Paul Thomas (mpt)
tags: added: buy-software
tags: added: buying-software
removed: buy-software
Revision history for this message
Matthew Paul Thomas (mpt) wrote :
Changed in software-center (Ubuntu):
assignee: Matthew Paul Thomas (mpt) → nobody
description: updated
description: updated
Changed in rhythmbox (Ubuntu):
status: New → Triaged
dobey (dobey)
no longer affects: canonical-identity-provider
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.