After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 633366 - TLS Certificate status not show before HTTP login popup
TLS Certificate status not show before HTTP login popup
Product: epiphany
Classification: Core
Component: Controls
git master
Other Linux
: Normal major
: ---
Assigned To: Michael Catanzaro
Epiphany Maintainers
Depends on:
Blocks: 721283
Reported: 2010-10-28 15:08 UTC by Nicolas Dufresne (ndufresne)
Modified: 2014-10-07 13:44 UTC
See Also:
GNOME target: ---
GNOME version: ---

Description Nicolas Dufresne (ndufresne) 2010-10-28 15:08:46 UTC
When accessing an HTTPS site with HTTP login enabled, the location bar should already display TLS certificate status. This would let user know if it's safe to provide username and password to this site.

Currently the location bar remains unchanged and the login popup is displayed. The TLS certificate status is only displayed after the login has completed. This can always be reproduced.
Comment 1 Michael Catanzaro 2014-09-06 00:21:47 UTC
Is this still a problem?

Is there a public website we could use to test this?
Comment 2 Michael Catanzaro 2014-09-29 17:06:01 UTC
In Epiphany 3.14, the site will be completely blocked if certificate validation fails, so you'll know there's a problem before the authentication dialog is displayed.
Comment 3 Nicolas Dufresne (ndufresne) 2014-09-29 17:36:51 UTC
Seem appropriate, I'll have a look when I get my hand on running Gnome 3.14. When I filed it in 2010, we where prompted for the username/password, and only after we where told to backoff due to bad certificate. This was a bit scary, though I doubt the username/password was ever sent.
Comment 4 Nicolas Dufresne (ndufresne) 2014-09-29 17:44:35 UTC
Actually, 3.12 was still affected. Can't share a login, but here's a link that should display the issue:

So you get prompted for user/password, but there is no way to inspect the certificate, and worst, it let you login and finally indicate the bad certificate. But if in 3.14 it directly fails, that is exactly what I think it should do, and status could even be resolved/fixed.
Comment 5 Michael Catanzaro 2014-09-29 20:16:29 UTC
Er, well actually I'm wrong, it takes your password and THEN blocks the site. That's bad....
Comment 6 Carlos Garcia Campos 2014-10-01 13:29:41 UTC
This is a WebKit issue, see