Ticket #147 (closed defect: fixed)

Opened 3 months ago

Last modified 3 months ago

Do Not Show Ressurect Pages 2.0.1 on SSL- and Security-Error-Pages

Reported by: freibooter Assigned to: t-bone
Priority: major Component: Resurrect
Version: 2.0.1 Severity: Unknown
Keywords: ssl, security, resurrect, Cc: freibooter@gmail.com

Description (Last modified by t-bone)

First off: I really like the visual makeover and massive usability improvements of Resurrect Pages 2.0.1. But while Firefox 3.0 introduces quite a few security enhancements and more security-related error messages, Resurrect Pages 2.0.1 blindly injects itself into all of those. This might not only be considered a security issue, it doesn't make any sense from a usability-related point of view either.

Examples:

  • ssl_error_bad_cert_domain error (wrong domain)
  • sec_error_ca_cert_invalid error (self-singed certificate)

Security concern:

  • None of these pages are actually off-line, Firefox prevents access for good reasons, Resurrect Pages should not offer a possible way around this. This could possible used for man-in-the-middle attacks.

Usability concerns:

  • None of these pages are actually off-line - no reason to show Resurrection-Menu.
  • Resurrection is not an option anyways: No mirror-service in Resurrect Pages actually caches any SSL-encrypted pages, choosing a mirror service in the menu is a waste of time at best.
  • The "Resurrection-Menu" is much more prominent than the only actually working option to gain access to the page ("Add an exception ..." or the link to the correct domain).

Resurrect Pages should be much more selective into which error pages it injects itself and generally leave SSL and security-related errors alone.

Attachments

Change History

05/28/08 17:55:50 changed by t-bone

  • version changed from 2.6.1 to 2.0.1.
  • description changed.

I agree, I just haven't gotten to this yet. But I will.

05/28/08 18:05:56 changed by freibooter

Glad that you agree, while you're at it, could you update my "examples" with the correct links. I simply couldn't get them past that bloody SPAM-filter (remove the _):

Examples:
ssl_error_bad_cert_domain error (wrong domain):
ht_tp_s:_//_paypal_._com/

sec_error_ca_cert_invalid error (self-singed certificate):
ht_tp_s:_//_webmail_._freeshell_._org/

That way my ticket makes a little bit more sense, especially referring to "these pages" :-)

I also couldn't find a "severity" in the drop-down-menu that would correctly reflect this issue. It doesn't really break the browser, but it is much more than a simple enhancement. Maybe "security" should be added.

05/31/08 16:22:28 changed by t-bone

  • status changed from new to closed.
  • resolution set to fixed.

(In [418]) Fixes #147

  • Piggyback on the built in logic that hides the 'try again' button to remove the resurrect buttons, for those "net error" pages where it doesn't make sense.

Add/Change #147 (Do Not Show Ressurect Pages 2.0.1 on SSL- and Security-Error-Pages)




Action