[Webkit-unassigned] [Bug 10655] New: No security warning given to user when SSL cert. problem changes during session (warning does occur in IE and Firefox)

[bugzilla-daemon at opendarwin.org]

http://bugzilla.opendarwin.org/show_bug.cgi?id=10655

           Summary: No security warning given to user when SSL cert. problem
                    changes during session (warning does occur in IE and
                    Firefox)
           Product: WebKit
           Version: 419.x
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: major
          Priority: P1
         Component: New Bugs
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: opendarwinbugzilla06 at jonahkeough.com


In order to reproduce this bug you must have two SSL certs which are, for one
reason or another, invalid for the web server you are connecting to (host name
mis-match, signed by an un-trusted root, etc.,) and you must be able to
reconfigure the web server during the session.

I tested this problem by loading a certificate on a web server that wasn't
signed by a trusted authority. I connected to the web site and received the
normal warning from Safari, and clicked 'Continue.' I also went to the website
using Internet Explorer and Firefox 1.5 and accepted the security warning
given. I then went to the web server and changed the certificate to one that
was signed by a trusted authority, but had a domain name mismatch with the site
I was connecting to. When I went back to the same SSL site in Firefox or
Internet Explorer I was given a warning about the new invalid state of the SSL
certificate and was given an opporunity to review the new certificate that was
being used. Safari switched to the new problem certificate without any warning.


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.