eric ide

Message1204

Author: The Compiler
Recipients: The Compiler
Date: 2020-05-02.14:29:54
Content
When opening https://expired.badssl.com/ and granting a certificate exception, 
the site info panel (when clicking the site's favicon) claims "Your connection 
to this site is *secured*" despite that not being the case. The URL bar also 
has a green background (or whatever is configured as "Background color of 
secure URLs" in the settings).

When loading the site again in a new tab (or even just reloading it), 
QtWebEngine remembers the certificate exemption and doesn't ask again - those 
two things combined might provide users with a false sense of security that a 
connection is secure, despite that not being the case.

I noticed this while fixing a similar issue in qutebrowser:
https://github.com/qutebrowser/qutebrowser/issues/5403

While I consider this a security-relevant bug (and will request a CVE for 
qutebrowser), there's nothing to be exploited by a bad actor, hence I'm opening 
this publicly.

This is on Archlinux, with Qt 5.14.2 and eric6 20.04.
History
Date User Action Args
2020-05-02 14:29:54The Compilersetrecipients: + The Compiler
2020-05-02 14:29:54The Compilersetmessageid: <1588429794.61.0.72918868648.issue328@eric-ide.python-projects.org>
2020-05-02 14:29:54The Compilerlinkissue328 messages
2020-05-02 14:29:54The Compilercreate