eric ide

Issue328

Classification
Title: Site info / URL bar falsely claim that connection is secure after certificate exception
Type: security Product: eric6
Process
Priority: normal    
Status: closed Resolution: fixed
Superseder: Nosy List: The Compiler, detlev
Assigned to: Keywords:

Created on 2020-05-02.14:29:54 by The Compiler, last changed by detlev.

Messages (5.0)
msg1208 (view) Author: detlev Date: 2020-05-02.17:11:50
Implemented a similar fix with changeset 928373562e36. This will be part of eric-ide 20.6.
msg1207 (view) Author: The Compiler Date: 2020-05-02.16:34:34
The preliminary qutebrowser fix (currently waiting for CI) is here:

https://github.com/qutebrowser/qutebrowser/commit/c7a0a150b2e991cc1c2fe8b883b07
4a800c2c40e
msg1206 (view) Author: The Compiler Date: 2020-05-02.16:34:19
I didn't have a fix ready when I opened the issue, as I first checked how other 
QtWebEngine projects handle this case - turns out only very few handle it 
correctly :)

I don't think there's a way to get the information via JS. The only approaches 
I have found are:

- Open a second connection via QSslSocket to check the certificate: 
https://github.com/vicr123/theweb/commit/5f6cbc6093a1adb4fdf3db829b182139e06531
9b
- Save a set of insecure hosts in the certificateError signals, and assume 
those are always insecure until a restart (what Viper Browser does: 
https://github.com/LeFroid/Viper-
Browser/blob/master/src/core/network/SecurityManager.cpp)

I decided to go for the latter with qutebrowser - I already did set a flag in 
this situation so the UI was correct for the first load, but not for subsequent 
loads. Will post a link in a separate post, because I'm not allowed to post 
more than two links...
msg1205 (view) Author: detlev Date: 2020-05-02.14:38:51
Please share the fix for qutebrowser. Is there a way to get the certificate information 
from QtWebEngine (maybe through some JavaScript)?
msg1204 (view) Author: The Compiler Date: 2020-05-02.14:29:54
When opening https://expired.badssl.com/ and granting a certificate exception, 
the site info panel (when clicking the site's favicon) claims "Your connection 
to this site is *secured*" despite that not being the case. The URL bar also 
has a green background (or whatever is configured as "Background color of 
secure URLs" in the settings).

When loading the site again in a new tab (or even just reloading it), 
QtWebEngine remembers the certificate exemption and doesn't ask again - those 
two things combined might provide users with a false sense of security that a 
connection is secure, despite that not being the case.

I noticed this while fixing a similar issue in qutebrowser:
https://github.com/qutebrowser/qutebrowser/issues/5403

While I consider this a security-relevant bug (and will request a CVE for 
qutebrowser), there's nothing to be exploited by a bad actor, hence I'm opening 
this publicly.

This is on Archlinux, with Qt 5.14.2 and eric6 20.04.
History
Date User Action Args
2020-05-02 17:11:51detlevsetstatus: open -> closed
resolution: fixed
messages: + msg1208
message_count: 4.0 -> 5.0
2020-05-02 16:34:34The Compilersetmessage_count: 3.0 -> 4.0
messages: + msg1207
2020-05-02 16:34:19The Compilersetmessage_count: 2.0 -> 3.0
messages: + msg1206
2020-05-02 14:38:51detlevsetstatus: new -> open
nosy: + detlev
messages: + msg1205
message_count: 1.0 -> 2.0
2020-05-02 14:29:54The Compilercreate