When opening https://expired.badssl.com/ and granting a certificate exception,
the site info panel (when clicking the site's favicon) claims "Your connection
to this site is *secured*" despite that not being the case. The URL bar also
has a green background (or whatever is configured as "Background color of
secure URLs" in the settings).
When loading the site again in a new tab (or even just reloading it),
QtWebEngine remembers the certificate exemption and doesn't ask again - those
two things combined might provide users with a false sense of security that a
connection is secure, despite that not being the case.
I noticed this while fixing a similar issue in qutebrowser:
https://github.com/qutebrowser/qutebrowser/issues/5403
While I consider this a security-relevant bug (and will request a CVE for
qutebrowser), there's nothing to be exploited by a bad actor, hence I'm opening
this publicly.
This is on Archlinux, with Qt 5.14.2 and eric6 20.04.
|