Bug 307221

Summary: konqueror does not report cleartext content in https pages
Product: [Applications] konqueror Reporter: Adrien <perso>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: CONFIRMED ---    
Severity: normal CC: adawit, frieder.ferlemann
Priority: NOR    
Version: 4.8.4   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Adrien 2012-09-22 17:24:42 UTC 
Most web browsers show a lock and/or change the address bar to
indicate that an https site has been connected to via TLS.  konqueror
shows (afaict) a green shield with a check-mark.  Fair enough.

But other browsers also indicate a "broken lock" or something similar
when an https page sources plain http content (e.g. in an img,
stylesheet, or script).  This is to indicate to the user (who can't
tell which pieces of content are served over encrypted channels and
which ones are exposed in transit) that the rendered page is not
entirely confidential communication.

Konqueror does not display this state to the user, so konqueror users
are vulnerable to data being sent in the clear without their
knowledge.

This bug was reported on the Debian bug tracker system:  
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580420

Reproducible: Always
Comment 1 Dawit Alemayehu 2012-10-05 01:06:16 UTC 
It would greatly help if the reporter provided an example URL where we can test this. 

We most definitely have an icon that can indicate partially encrypted sites, but I know for a fact that kwebkitpart does not do that because it would involve checking all the URLs in a page. If we have an example site, we can see how the other browsers behave and learn how they deal with such pages and perhaps come up with solution that will work for Konqueror.
Comment 2 Adrien 2012-10-09 11:18:01 UTC 
Hi,

Firefox indicates that this page is partially encrypt : https://grezilleenvironnementnature.wordpress.com

I also created a test page on my personnal server :
https://adrieng.homeip.net/~adrien/test_307221.html
It is a sample HTML page, with an image from wikipedia. However, the certificate is self-signed, as it is my personnal server.

Please tell me if you need other example.

Regards,

Adrien