Opened on 10/14/2015 at 09:12:48 AM

Closed on 02/19/2016 at 09:41:09 AM

Last modified on 02/23/2016 at 10:33:57 AM

#3203 closed change (fixed)

[Adblock Browser for iOS] add visible Indication of a secure connection

Reported by: Shikitita Assignee: pavelz
Priority: P2 Milestone: Adblock-Browser-for-iOS-1.3.0
Module: Adblock-Browser-for-iOS Keywords: salsita 2015q4
Cc: pavelz, vojtab, jand, mario, greiner Blocked By:
Blocking: #3284 Platform: Adblock Browser for iOS
Ready: yes Confidential: no
Tester: Scheer Verified working: yes
Review URL(s):

Description (last modified by pavelz)

Background

Modern Browser indicate the use of secure and validated SSL connections and certificates by showing a lock sign (and sometimes the URL) in different colors. Since users got used to this, it's wise to also include this indicator to Adblock Browser.

There are 4 different certificates and certificate states, which should each be visualized in a different way:

  1. No certificate present
  1. Malicious certificate present (e.g. wrong domain or wrong subdomain)
  1. Self-signed certificate present
  1. Signed certificate or signed EV certificate present

What to change

For each type of certificate as described in the background section, implement the visualization as outlined below:

  1. No visualization of a secured connection whatsoever. No changes to be implemented.
  1. Display a broken padlock in front of the URL as displayed in this screenshot. Every time a website with this state of certificate is visited show a notification as currently implemented in Kitt.

Color to be used for the URL: # da001b
Text of the notification headline: Warning
Text of the notification: The site's security certificate is not trusted. Do you want to proceed?
Text of the cancel-button: Cancel
Text of the proceed-button: Proceed

Tapping "Cancel" will close the notification and stop loading the requested website (thus staying at the currently opened website or - of no website was opened - at the dashboard).
Tapping "Proceed" will close the notification and load the requested website.

  1. Display a broken padlock in front of the URL as displayed in this screenshot. Every time a website with this state of certificate is visited show a notification as currently implemented in Kitt.

Color to be used for the URL: # da001b
Text of the notification headline: Warning
Text of the notification: The site's security certificate is not trusted. Do you want to proceed?
Text of the cancel-button: Cancel
Text of the proceed-button: Proceed

Tapping "Cancel" will close the notification and stop loading the requested website (thus staying at the currently opened website or - of no website was opened - at the dashboard).
Tapping "Proceed" will close the notification and load the requested website.

  1. Display a padlock in front of the URL as displayed in this screenshot.

Note to testers

The cert state recognition was not as much demanding as was keeping up with the aggresive iOS status caching of already once visited SSL sites. So the correct SSL status displayed on first load is not as critical as is a reproducible correct status when an already created browsing history with mixed type cert sites is navigated either through back/fwd or clicking history records.

Examples of test sites

  1. No cert: any plain http site
  2. Malicious cert: https://kitt.co/
  3. Self-signed cert: https://www.cacert.org/
  4. EV cert: twitter.com, square.com, ...

Attachments (7)

certificate.png (19.2 KB) - added by sven on 10/23/2015 at 11:11:19 AM.
certificateEV.png (19.2 KB) - added by sven on 10/23/2015 at 11:11:25 AM.
certificateEV v2.png (19.3 KB) - added by sven on 10/23/2015 at 11:51:42 AM.
certificate v2.psd (28.8 KB) - added by sven on 10/23/2015 at 11:51:48 AM.
certificate style guide.png (133.3 KB) - added by sven on 10/23/2015 at 11:53:42 AM.
certificate v2.png (19.3 KB) - added by sven on 10/23/2015 at 11:53:59 AM.
certificate broken.png (20.7 KB) - added by sven on 10/23/2015 at 01:36:36 PM.

Download all attachments as: .zip

Change History (35)

comment:1 Changed on 10/14/2015 at 09:42:50 AM by mario

  • Cc mario added

comment:2 Changed on 10/14/2015 at 09:44:07 AM by philll

  • Cc mario removed
  • Description modified (diff)
  • Summary changed from [Adblock Browser for iOS] Indication of a secure connection missing to [Adblock Browser for iOS] add visible Indication of a secure connection
  • Type changed from defect to change

How is this a bug? It's just a not implemented feature.

comment:3 Changed on 10/14/2015 at 09:49:24 AM by Shikitita

Yeah, sorry. Out of habit.

comment:4 Changed on 10/14/2015 at 11:16:52 AM by mario

  • Cc mario added

comment:5 Changed on 10/15/2015 at 01:41:55 PM by mario

  • Description modified (diff)

comment:6 Changed on 10/15/2015 at 02:59:27 PM by pavelz

EV: initial dev info gathering
https://developer.apple.com/library/ios/technotes/tn2232/_index.html
SecTrustCopyResult
http://opensource.apple.com/source/Security/Security-55471/sec/Security/SecTrust.h
https://support.apple.com/en-us/HT205205
mind the EV policy column

Supplemental pseudo algorithm
https://unmitigatedrisk.com/?p=203

Last edited on 10/15/2015 at 03:00:02 PM by pavelz

comment:7 Changed on 10/22/2015 at 09:43:49 AM by greiner

  • Cc greiner added

Changed on 10/23/2015 at 11:11:19 AM by sven

Changed on 10/23/2015 at 11:11:25 AM by sven

Changed on 10/23/2015 at 11:51:42 AM by sven

Changed on 10/23/2015 at 11:51:48 AM by sven

Changed on 10/23/2015 at 11:53:42 AM by sven

Changed on 10/23/2015 at 11:53:59 AM by sven

Changed on 10/23/2015 at 01:36:36 PM by sven

comment:8 Changed on 10/23/2015 at 01:43:42 PM by sven

  • Description modified (diff)

comment:9 Changed on 10/23/2015 at 01:49:57 PM by sven

  • Description modified (diff)

comment:10 Changed on 10/23/2015 at 01:50:49 PM by sven

  • Description modified (diff)

comment:11 Changed on 10/27/2015 at 11:49:56 AM by mario

  • Description modified (diff)

comment:12 Changed on 10/27/2015 at 12:28:33 PM by mario

  • Description modified (diff)

comment:13 follow-up: Changed on 11/06/2015 at 10:57:08 AM by mario

  • Description modified (diff)

I've modified the description to reflect the fact, that we can't differentiate between signed certificates and EV certificates: Both certificate types are visualized the same.

comment:14 in reply to: ↑ 13 Changed on 11/06/2015 at 03:09:33 PM by greiner

Replying to mario:

I've modified the description to reflect the fact, that we can't differentiate between signed certificates and EV certificates: Both certificate types are visualized the same.

Any idea why we can't differentiate between those? If it's simply too much effort, I'd suggest creating a follow-up ticket for that.

comment:15 Changed on 11/06/2015 at 03:25:36 PM by pavelz

Unfortunate wording - there is no "can't" in the requirement. It's just too much effort for being considered a simple task. If it's being removed from the scope of this ticket, i would expect a new one, yes. When creating a new one, please move over my tech notes in https://issues.adblockplus.org/ticket/3203#comment:6

comment:16 Changed on 11/09/2015 at 08:42:19 AM by mario

  • Blocking 3284 added

comment:17 Changed on 11/09/2015 at 08:49:24 AM by mario

  • Keywords 2015q4 added

I was under the impression, this was limited by iOS.
Created a follow up issue: #3284

comment:18 Changed on 11/09/2015 at 09:48:58 AM by mario

  • Priority changed from Unknown to P2
  • Ready set

comment:19 Changed on 11/12/2015 at 01:18:36 PM by pavelz

  • Owner set to pavelz

https://www.pivotaltracker.com/story/show/105579096

comment:20 Changed on 11/24/2015 at 12:09:37 PM by pavelz

  • Resolution set to fixed
  • Status changed from new to closed

comment:21 Changed on 12/14/2015 at 01:46:13 PM by mario

  • Milestone set to Adblock-Browser-for-iOS-next

Batch modify: Added "-next" milestone to recently closed ABB/iOS issues.

comment:22 Changed on 02/17/2016 at 01:39:31 PM by philll

  • Ready unset
  • Resolution fixed deleted
  • Status changed from closed to reopened

What shall happen if the proceed or cancel button is pressed?
Also, the background section stated "There are 5 different certificates and certificate states," while only four get mentioned afterwards.

comment:23 Changed on 02/18/2016 at 10:22:51 AM by mario

  • Description modified (diff)

There are only 4 states. This was an error.
Changed the description and added the missing information.

comment:24 Changed on 02/18/2016 at 03:33:14 PM by pavelz

@mario What should happen with issue now? Will @philll reread the description and close?

comment:25 Changed on 02/18/2016 at 04:13:45 PM by pavelz

And it's not "ready" anyway

comment:26 Changed on 02/19/2016 at 09:41:09 AM by mario

  • Description modified (diff)
  • Ready set
  • Resolution set to fixed
  • Status changed from reopened to closed

comment:27 Changed on 02/23/2016 at 09:28:13 AM by pavelz

  • Description modified (diff)

comment:28 Changed on 02/23/2016 at 10:33:57 AM by scheer

  • Tester changed from Unknown to Scheer
  • Verified working set
  • 1. No change is displayed in normal websites without a certificate and plain text is displayed.
  • 2. Malicious certificate sites such as ​https://kitt.co/ display a warning message stating 'Warning - The site's security certificate is not trusted. Do you want to proceed? - 'Cancel' -'Proceed. Upon selecting 'Cancel' the user is presented with the page he was currently already viewing, or the Dashboard (dependant on the state before entering the address). Upon selecting 'Proceed' the page is loaded and a broken padlock is presented in the address bar and the address text changed from black to Red (# da001b)
  • 3. Self-signed certificate sites such as ​https://www.cacert.org/ display a warning message stating 'Warning - The site's security certificate is not trusted. Do you want to proceed? - 'Cancel' -'Proceed. Upon selecting 'Cancel' the user is presented with the page he was currently already viewing, or the Dashboard (dependant on the state before entering the address). Upon selecting 'Proceed' the page is loaded and a broken padlock is presented in the address bar and the address text changed from black to Red (# da001b)
  • 4. EV certificate sites such as twitter.com and paypal.com are loaded and a green (# 36aa46) padlock is displayed in the address bar and the address text is also changed from black to green (# 36aa46). Please note that the above states that only a complete padlock should be displayed, but not with green (# 36aa46), but I am now referring to the completed issue that already changes EV Certificates located here - #3284

With regards to -

'The cert state recognition was not as much demanding as was keeping up with the aggressive iOS status caching of already once visited SSL sites. So the correct SSL status displayed on the first load is not as critical as is a reproducible correct status when an already created browsing history with mixed type cert sites is navigated either through back/fwd or clicking history records.'

As well as checking the first load of the above-mentioned sites, I also loaded through each type multiple times, to confirm that the website states changed back to the correct ones in each website certificate type.

ABB 1.3.0-qa (824)
iPhone 6 Plus - iOS 9.2.1

Add Comment

Modify Ticket

Change Properties
Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from pavelz.
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.