[tor-bugs] #9921 [EFF-HTTPS Everywhere]: HTTPS-E: nonintuitive UI when connecting to domains with invalid certificates on Iceweasel/Firefox
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Oct 7 19:32:20 UTC 2013
#9921: HTTPS-E: nonintuitive UI when connecting to domains with invalid
certificates on Iceweasel/Firefox
----------------------------------+-------------------------------
Reporter: cypherpunks | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version: HTTPS-E 3.4.1
Keywords: | Actual Points:
Parent ID: | Points:
----------------------------------+-------------------------------
Context: [Iceweasel] and [Firefox], using [HTTPS-Everywhere]. Connecting
to a domain with an [expired certificate] or [certificate] for the wrong
domain. Plugin forces https connection. Browser displays special page
claiming an [invalid certificate] and requesting to either leave or make
an exception. In this case, the appropriate approach is to opt out of SSL
and simply use [HTTP] (unless forced by the server) by unchecking the site
on the HTTPS-E button's drop-down list. However, since the full page
message is much larger, users will be tempted to make a certificate
exception and continue using SSL - which depending on their settings may
be persistent, and in any case gives a false sense of security. This is a
[UI] issue, but it is thus a security issue.
Can we add a feature to either redirect to a different more explanatory
message, or modify the existing warning page to also have a "try HTTP for
this session" button?
I don't know about Chrome/Chromium.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9921>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list