Issue 328: Site info / URL bar falsely claim that connection is secure after certificate exception - Eric Issue Tracker

Classification

Title:	Site info / URL bar falsely claim that connection is secure after certificate exception
Type:	security	Product:	eric6

Process

Priority:	normal
Status:	closed	Resolution:	fixed
Superseder:		Nosy List:	The Compiler, detlev
Assigned to:		Keywords:

Created on 2020-05-02.14:29:54 by The Compiler, last changed by detlev.

Messages (5.0)
msg1208 (view)	Author: detlev	Date: 2020-05-02.17:11:50
Implemented a similar fix with changeset 928373562e36. This will be part of eric-ide 20.6.
msg1207 (view)	Author: The Compiler	Date: 2020-05-02.16:34:34
The preliminary qutebrowser fix (currently waiting for CI) is here: https://github.com/qutebrowser/qutebrowser/commit/c7a0a150b2e991cc1c2fe8b883b07 4a800c2c40e
msg1206 (view)	Author: The Compiler	Date: 2020-05-02.16:34:19
I didn't have a fix ready when I opened the issue, as I first checked how other QtWebEngine projects handle this case - turns out only very few handle it correctly :) I don't think there's a way to get the information via JS. The only approaches I have found are: - Open a second connection via QSslSocket to check the certificate: https://github.com/vicr123/theweb/commit/5f6cbc6093a1adb4fdf3db829b182139e06531 9b - Save a set of insecure hosts in the certificateError signals, and assume those are always insecure until a restart (what Viper Browser does: https://github.com/LeFroid/Viper- Browser/blob/master/src/core/network/SecurityManager.cpp) I decided to go for the latter with qutebrowser - I already did set a flag in this situation so the UI was correct for the first load, but not for subsequent loads. Will post a link in a separate post, because I'm not allowed to post more than two links...
msg1205 (view)	Author: detlev	Date: 2020-05-02.14:38:51
Please share the fix for qutebrowser. Is there a way to get the certificate information from QtWebEngine (maybe through some JavaScript)?
msg1204 (view)	Author: The Compiler	Date: 2020-05-02.14:29:54
When opening https://expired.badssl.com/ and granting a certificate exception, the site info panel (when clicking the site's favicon) claims "Your connection to this site is secured" despite that not being the case. The URL bar also has a green background (or whatever is configured as "Background color of secure URLs" in the settings). When loading the site again in a new tab (or even just reloading it), QtWebEngine remembers the certificate exemption and doesn't ask again - those two things combined might provide users with a false sense of security that a connection is secure, despite that not being the case. I noticed this while fixing a similar issue in qutebrowser: https://github.com/qutebrowser/qutebrowser/issues/5403 While I consider this a security-relevant bug (and will request a CVE for qutebrowser), there's nothing to be exploited by a bad actor, hence I'm opening this publicly. This is on Archlinux, with Qt 5.14.2 and eric6 20.04.

History
Date	User	Action	Args
2020-05-02 17:11:51	detlev	set	status: open -> closed resolution: fixed messages: + msg1208 message_count: 4.0 -> 5.0
2020-05-02 16:34:34	The Compiler	set	message_count: 3.0 -> 4.0 messages: + msg1207
2020-05-02 16:34:19	The Compiler	set	message_count: 2.0 -> 3.0 messages: + msg1206
2020-05-02 14:38:51	detlev	set	status: new -> open nosy: + detlev messages: + msg1205 message_count: 1.0 -> 2.0
2020-05-02 14:29:54	The Compiler	create