Issue metadata
Sign in to add a comment
|
Security: Mixed content on Google result page?
Reported by
akanand...@gmail.com,
May 15 2017
|
||||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home /chromium-security/security-faq Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. The security issue is on a mobile phone in my case.The issue starts with the green lock being pressed, and a message appearing about the certificate.The vulnerability exists in the application layer as the above stated layer's ssl encryption mechanism has been annulled. VERSION Chrome Version: [58.0.3029.83] + [stable] Operating System: [iOS, 10.3.1(14E304), and 10.3.1] REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
May 15 2017
,
May 16 2017
The green lock transformed into (i) icon after having pressed on it.Subsequently, a message appeared in the page.
,
May 16 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 16 2017
Interesting. Do you see this happen with all search queries on the site, or only with certain queries? Can you reproduce the problem all the time, or only sometimes?
,
May 16 2017
> The green lock transformed into (i) icon after having pressed on it. > Subsequently, a message appeared in the page. This is expected if the page loads mixed content, which is the case if you tap to see the images in the carousel. In your screenshot, the URL bar and Page Info (which I think is what you mean with "the message") are in sync. My guess is that the mixed content just loaded around the time you tapped the icon in the URL bar. Could you try it a few times to see if you experience anything to the contrary?
,
May 17 2017
Yes I can reproduce it but it does not appear in desktop,only with mobile.
,
May 17 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 17 2017
Do you see this happen with all search queries on the site, or only with certain queries?
,
May 17 2017
I don't understand.Can you please explain what it means.
,
May 17 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 17 2017
In your screenshot reporting the issue, you had searched for "deepti naval daughter" and got the mixed content warning on the page. Do you see the same mixed content warning if you search for another string (e.g. "example search")
,
May 17 2017
Yes of course.
,
May 17 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 17 2017
Interesting, thanks. I'm not able to reproduce this on either Chrome 58 Stable or Chrome 58 Dev on iOS 10.3.1. I wonder if this is perhaps a variant of Issue 657225 and it's only reproducible from certain locales where SHA-1 may still be in use for legacy compatibility?
,
May 17 2017
,
May 18 2017
This is not a hard to reproduce problem but no constant steps, I noticed this time to time happening on www.google.com, I didn't remember what queries i used but when it happened, I tried to compare with Android Chrome I didn't see the same behavior. But also Search results may change time to time and device to device so I can't really compare. I just tried a random query like "ool" in google and i see the same behavior. If I tried some other query in the same tab its working fine. https://drive.google.com/file/d/0B-xmXLQhjeKuQm9RdXczalRBcnc/view (Video shared internally only)
,
May 18 2017
A search for "ool" using an iPhone form factor and user agent does indeed trigger mixed content. Clicking on an image in the inline results for "deepti naval daughter" does the same. This makes me *pretty* sure that Chrome is working correctly and google.com is just loading mixed content. I'll defer to elawrence@ about closing the bug.
,
May 18 2017
At present, this appears to be working as intended.
,
Jun 19 2017
Can you please delete the prementioned mail.thx
,
Jun 19 2017
Re #20: I'm not entirely sure what you're asking for, but the email addresses shown in this bug report are sanitized for display and characters are hidden; you can only see the full email address when you're logged in as you. (You can verify this by opening this page in an incognito window) |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 15 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-iOS Type-Bug
Summary: Security: Mixed content on Google result page? (was: Security: Vulnerability in the application layer )