GNOME Bugzilla – Bug 633366
TLS Certificate status not show before HTTP login popup
Last modified: 2014-10-07 13:44:28 UTC
When accessing an HTTPS site with HTTP login enabled, the location bar should already display TLS certificate status. This would let user know if it's safe to provide username and password to this site.
Currently the location bar remains unchanged and the login popup is displayed. The TLS certificate status is only displayed after the login has completed. This can always be reproduced.
Is this still a problem?
Is there a public website we could use to test this?
In Epiphany 3.14, the site will be completely blocked if certificate validation fails, so you'll know there's a problem before the authentication dialog is displayed.
Seem appropriate, I'll have a look when I get my hand on running Gnome 3.14. When I filed it in 2010, we where prompted for the username/password, and only after we where told to backoff due to bad certificate. This was a bit scary, though I doubt the username/password was ever sent.
Actually, 3.12 was still affected. Can't share a login, but here's a link that should display the issue:
So you get prompted for user/password, but there is no way to inspect the certificate, and worst, it let you login and finally indicate the bad certificate. But if in 3.14 it directly fails, that is exactly what I think it should do, and status could even be resolved/fixed.
Er, well actually I'm wrong, it takes your password and THEN blocks the site. That's bad....
This is a WebKit issue, see https://bugs.webkit.org/show_bug.cgi?id=137300