| Summary: | Closing dialog for allowing invalid SSL certificate causes certificate to be accepted | ||
|---|---|---|---|
| Product: | [Unmaintained] kio | Reporter: | Jim Scadden <jims> |
| Component: | kssl | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | adawit, bugs, simonandric5 |
| Priority: | NOR | ||
| Version: | 4.13.1 | ||
| Target Milestone: | --- | ||
| Platform: | Debian testing | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/kdelibs/38a89ca0195dedee30240647b86c7b6df6788723 | Version Fixed In: | 4.14.3 |
| Sentry Crash Report: | |||
| Attachments: | kio-kssl_cert-accept-dialog_update.patch | ||
|
Description
Jim Scadden
2014-05-26 15:23:43 UTC
Created attachment 86831 [details]
kio-kssl_cert-accept-dialog_update.patch
Proposed patch. Changes dialog from KMessageBox::warningYesNo to KMessageBox::warningYesNoCancel . Closing the dialog is now results in a Cancel rather than a No. It also places both dialogs in a loop so that the user is returned to the 1st dialog when cancelling the 2nd, rather than the certificate being accepted
After the patch for a while I do not believe that it is the best approach. With the patch applied the default option of 'Current Session only' is located on the left and the 'Forever' option is in the middle. Since the 'Continue' button on the previous dialog is also in the middle this means that a user who neglects to fully read the 2nd dialog box and just clicks will have chosen to accept the certificate forever. FYI this bug report was forwarded from Debian BTS https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745556 I confirm this in 4.14.2. Why is this a bug? In the dialog that asked you to accept or reject the certificate you chose to accept it by clicking on "continue". The next dialog is only there to ask you the duration for which the certificate should be accepted and as you stated closing it carries out the default action (accept it for current session). The user has changed his mind, and doesn't want to accept the certificate. He neither wants to accept it "Forever", nor for "Current Session only". It seems intuitive that closing the dialog ("Would you like to accept this certificate forever without being prompted?") by clicking on the X in the top right corner would not accept the certificate.
As the OP says:
Expected Results:
Certificate is rejected, or user is returned to previous dialog
Test case (currently): https://webwewant.org/
Git commit 38a89ca0195dedee30240647b86c7b6df6788723 by Dawit Alemayehu. Committed on 04/11/2014 at 12:23. Pushed by adawit into branch 'KDE/4.14'. Allow user to cancel out of the certificate accept duration dialog box. FIXED-IN: 4.14.3 REVIEW: 120975 M +29 -23 kio/kio/tcpslavebase.cpp http://commits.kde.org/kdelibs/38a89ca0195dedee30240647b86c7b6df6788723 Git commit 294a6a0d983e22723851fe07e381e70cb57c6744 by Dawit Alemayehu. Committed on 10/11/2014 at 13:29. Pushed by adawit into branch 'master'. frameworks port of commit 38a89ca: Allow user to cancel out of the certificate accept duration dialog box. M +26 -22 src/core/tcpslavebase.cpp http://commits.kde.org/kio/294a6a0d983e22723851fe07e381e70cb57c6744 |