[Bugs] #4245 Browse NORM: Browse: show a error if ssl certificate is wrong
Sugar Labs Bugs
bugtracker-noreply at sugarlabs.org
Wed Nov 28 14:31:14 EST 2012
#4245: Browse: show a error if ssl certificate is wrong
----------------------------+-----------------------------------------------
Reporter: godiard | Owner: humitos
Type: defect | Status: accepted
Priority: Normal | Milestone: 0.98
Component: Browse | Version: Unspecified
Severity: Unspecified | Keywords: r-
Distribution: Unspecified | Status_field: Unconfirmed
----------------------------+-----------------------------------------------
Changes (by humitos):
* keywords: r? => r-
Comment:
Well, the patch looks good and works like it says. I checked the sites
that are mentioned on this ticket and some others as well, like Facebook,
PayPal and some SSL cert sellers. It shows a broken lock when the SSL is
invalid for the site visited and show a lock when the SSL is valid.
There is just a little issue in the log file when a PDF tab is opened:
{{{
Traceback (most recent call last):
File "/home/olpc/Activities/Browse.activity/webtoolbar.py", line 352, in
__switch_page_cb
self._connect_to_browser(tabbed_view.props.current_browser)
File "/home/olpc/Activities/Browse.activity/webtoolbar.py", line 369, in
_connect_to_browser
self._set_security_status(self._browser.security_status)
AttributeError: 'DummyBrowser' object has no attribute 'security_status'
/home/olpc/Activities/Browse.activity/webtoolbar.py:356: Warning:
gsignal.c:2576: instance `0x12fa730' has no handler with id `15343'
self._browser.disconnect(self._uri_changed_hid)
}}}
I know that we discussed about this yesterday and we want a simple
solution similar how Epiphany works but I'd like to add two comments on
this patch to consider them in the future:
1. {{{ssl-use-system-ca-file}}}: setting this property to {{{True}}} we
are trusting on the ca-files that we have on our system. In some way this
could be dangerous if the user has an invalid CA file on his system.
1. {{{widget.get_main_frame()}}}: we are checking the certificate just
for the main frame. So, if the main frame has a valid certificate we are
saying that you are in a trusted site when that is not totally true
because the "real website" could be inside an iframe or doing something
weird via javascript.
I'd say, fix the traceback issue, push this patch and go back later in the
future with the best solution considering all the possibilities.
--
Ticket URL: <http://bugs.sugarlabs.org/ticket/4245#comment:12>
Sugar Labs <http://sugarlabs.org/>
Sugar Labs bug tracking system
More information about the Bugs
mailing list