Issue 667021 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 395050
Owner:	----
Closed:	Nov 2016
Cc:	asanka@chromium.org
Components:	Internals>Network>Auth
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: http basic-auth modal displays before SSL status updates in the location bar

Reported by demoss.m...@gmail.com, Nov 19 2016

Issue description

VULNERABILITY DETAILS
It's really difficult for a user to tell whether everything is fine with TLS when visiting a page that caused a prompt for basic-auth over https.

VERSION
Chrome Version: 55.0.2883.52 beta (64-bit) (and other verions as well, anecdotally)
Operating System: Win 10, 1151 (and others)

REPRODUCTION CASE
Visit a page using HTTPS that prompts for BASIC AUTH.
Example: https://httpbin.org/basic-auth/user/passwd

It's very difficult for a user to determine whether the site's certificate is valid judging from the UI.

Is this a security issue? Only if you think anybody looks at that indicator! ;-)

	https-basic-auth-no-cert-valid-vis.PNG 19.1 KB View Download

Comment 1 by mea...@chromium.org, Nov 21 2016

Components: Internals>Network>Auth
Labels: -Restrict-View-SecurityTeam allpublic
Mergedinto: 395050
Status: Duplicate (was: Unconfirmed)

Thanks for the report. Unfortunately this is a known issue (bug 395050), and the fix isn't straightforward so the bug is still open.

►

Issue 667021 link

Issue metadata

Security: http basic-auth modal displays before SSL status updates in the location bar

Issue description

Comment 1 by mea...@chromium.org, Nov 21 2016

Comment 1 Deleted

Sign in to add a comment