New issue
Advanced search Search tips

Issue 722227 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: ----
Type: Bug
Team-Security-UX



Sign in to add a comment

Security: Mixed content on Google result page?

Reported by akanand...@gmail.com, May 15 2017

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.
The security issue is on a mobile phone in my case.The issue starts with the green lock being pressed, and a message appearing about the certificate.The vulnerability exists in the application layer as the above stated layer's ssl encryption mechanism has been annulled.

VERSION
Chrome Version: [58.0.3029.83] + [stable]
Operating System: [iOS, 10.3.1(14E304), and 10.3.1]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]

 
IMG_0988 (1).JPG
93.9 KB View Download
Components: UI>Browser>Omnibox>SecurityIndicators
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-iOS Type-Bug
Summary: Security: Mixed content on Google result page? (was: Security: Vulnerability in the application layer )
It's definitely not expected to see mixed content on Google's results page, but this does not represent a security vulnerability in Chrome.

When you say "with the green lock being pressed" can you elaborate further? In your screenshot, there's no green lock, only an (i) icon. Was there a green lock at some point? When did it disappear?
Labels: Needs-Feedback
The green lock transformed into (i) icon after having pressed on
it.Subsequently, a message appeared in the page.
Project Member

Comment 4 by sheriffbot@chromium.org, May 16 2017

Cc: elawrence@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Needs-Feedback
Interesting. Do you see this happen with all search queries on the site, or only with certain queries? Can you reproduce the problem all the time, or only sometimes?
> The green lock transformed into (i) icon after having pressed on it.
> Subsequently, a message appeared in the page.

This is expected if the page loads mixed content, which is the case if you tap to see the images in the carousel. In your screenshot, the URL bar and Page Info (which I think is what you mean with "the message") are in sync.

My guess is that the mixed content just loaded around the time you tapped the icon in the URL bar. Could you try it a few times to see if you experience anything to the contrary?
Yes I can reproduce it but it does not appear in desktop,only with mobile.
Project Member

Comment 8 by sheriffbot@chromium.org, May 17 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Needs-Feedback
Do you see this happen with all search queries on the site, or only with certain queries? 
I don't understand.Can you please explain what it means.
Project Member

Comment 11 by sheriffbot@chromium.org, May 17 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Needs-Feedback
In your screenshot reporting the issue, you had searched for "deepti naval daughter" and got the mixed content warning on the page. Do you see the same mixed content warning if you search for another string (e.g. "example search") 
Yes of course.
Project Member

Comment 14 by sheriffbot@chromium.org, May 17 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Interesting, thanks. I'm not able to reproduce this on either Chrome 58 Stable or Chrome 58 Dev on iOS 10.3.1. 

I wonder if this is perhaps a variant of  Issue 657225  and it's only reproducible from certain locales where SHA-1 may still be in use for legacy compatibility?

Comment 16 by sczs@chromium.org, May 17 2017

Cc: -elawrence@chromium.org
Owner: elawrence@chromium.org
Status: Assigned (was: Unconfirmed)
This is not a hard to reproduce problem but no constant steps, I noticed this time to time happening on www.google.com, I didn't remember what queries i used but when it happened, I tried to compare with Android Chrome I didn't see the same behavior. But also Search results may change time to time and device to device so I can't really compare. I just tried a random query like "ool" in google and i see the same behavior. If I tried some other query in the same tab its working fine.

https://drive.google.com/file/d/0B-xmXLQhjeKuQm9RdXczalRBcnc/view
(Video shared internally only)
A search for "ool" using an iPhone form factor and user agent does indeed trigger mixed content.

Clicking on an image in the inline results for "deepti naval daughter" does the same.

This makes me *pretty* sure that Chrome is working correctly and google.com is just loading mixed content. I'll defer to elawrence@ about closing the bug.
Screen Shot 2017-05-18 at 12.16.48.png
1.5 MB View Download
Screen Shot 2017-05-18 at 12.17.16.png
787 KB View Download
Status: WontFix (was: Assigned)
At present, this appears to be working as intended.
Can you please delete the prementioned mail.thx
Re #20: I'm not entirely sure what you're asking for, but the email addresses shown in this bug report are sanitized for display and characters are hidden; you can only see the full email address when you're logged in as you. (You can verify this by opening this page in an incognito window)

Sign in to add a comment