Skip to content

Security: Reloading page with certificate errors falsely shows a green URL (CVE-2020-11054) #5403

Closed
@The-Compiler

Description

@The-Compiler

While working on 46b4d26 I noticed that only the first load of pages with certificate errors gets a correctly colored URL.

When loading a page with the default content.ssl_strict = ask setting, there's a prompt to confirm the certificate issue:

image

When answering that with "yes", the URL is then colored yellow (colors.statusbar.url.warn.fg) rather than green (colors.statusbar.url.success_https.fg):

image

However, when reloading the page (or loading it again in another tab), the URL is green:

image

This is because QtWebEngine remembers the answer internally and we don't get a certificateErrors signal anymore - unfortunately there's also no API to check the certificate state of the current page...

I'm handling this as a low-severity security vulnerability and will request a CVE. There's no way for bad actors to exploit this and the user already did override the certificate error (so should be aware that the connection is not to be trusted), but it still lures users into a false sense of security.

A fix, release and security announcement is in progress.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: 0 - highIssues which are currently the primary focus.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions