Bug 633366 – TLS Certificate status not show before HTTP login popup

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 633366 - TLS Certificate status not show before HTTP login popup


Summary:	TLS Certificate status not show before HTTP login popup


Status:	RESOLVED NOTGNOME

Product:	epiphany
Classification:	Core
Component:	Controls
Version:	git master
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	Michael Catanzaro
QA Contact:	Epiphany Maintainers

URL:
Whiteboard:

Depends on:
Blocks:	721283

Reported:	2010-10-28 15:08 UTC by Nicolas Dufresne (ndufresne)
Modified:	2014-10-07 13:44 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Nicolas Dufresne (ndufresne) 2010-10-28 15:08:46 UTC

When accessing an HTTPS site with HTTP login enabled, the location bar should already display TLS certificate status. This would let user know if it's safe to provide username and password to this site.

Currently the location bar remains unchanged and the login popup is displayed. The TLS certificate status is only displayed after the login has completed. This can always be reproduced.

Comment 1 Michael Catanzaro 2014-09-06 00:21:47 UTC

Is this still a problem?

Is there a public website we could use to test this?

Comment 2 Michael Catanzaro 2014-09-29 17:06:01 UTC

In Epiphany 3.14, the site will be completely blocked if certificate validation fails, so you'll know there's a problem before the authentication dialog is displayed.

Comment 3 Nicolas Dufresne (ndufresne) 2014-09-29 17:36:51 UTC

Seem appropriate, I'll have a look when I get my hand on running Gnome 3.14. When I filed it in 2010, we where prompted for the username/password, and only after we where told to backoff due to bad certificate. This was a bit scary, though I doubt the username/password was ever sent.

Comment 4 Nicolas Dufresne (ndufresne) 2014-09-29 17:44:35 UTC

Actually, 3.12 was still affected. Can't share a login, but here's a link that should display the issue:

https://people.internal.collabora.co.uk/

So you get prompted for user/password, but there is no way to inspect the certificate, and worst, it let you login and finally indicate the bad certificate. But if in 3.14 it directly fails, that is exactly what I think it should do, and status could even be resolved/fixed.

Comment 5 Michael Catanzaro 2014-09-29 20:16:29 UTC

Er, well actually I'm wrong, it takes your password and THEN blocks the site. That's bad....

Comment 6 Carlos Garcia Campos 2014-10-01 13:29:41 UTC

This is a WebKit issue, see https://bugs.webkit.org/show_bug.cgi?id=137300