duckduckgo
Unclear state when https connection terminated - Android
Describe the bug
- Attempt to load any https website with with invalid https (selfsigned /expired cert or cert for wrong domain/etc)
- Nothing happens
This can lead to misleading scenarios as the urlbar will still say that the current URL is the https one.
This also means there's no warning that you were trying to access a website which then got denied.
How to Reproduce
Misleading Scenario:
- Go to a website with invalid https over http http://eusprig.org/horror-stories.htm or http://neverssl.com
- Edit url to be https scheme rather than http https://eusprig.org/horror-stories.htm or https://neverssl.com
- See that the original website is still visible
Visited http, then attempted to visit https which didn't work. http page still rendered but url bar says "https"
Clicking on the privacy report correctly says that the website was http
Lack of a warning that anything's wrong
- Go to an invalid https website
- Nothing happens or changes
Expected behavior A warning of some kind to be emitted when the connection was aborted due to invalid https server. The current screen to be cleared, the previous page shouldn't be rendered while the url is display the new (invalid) page location
Smartphone (please complete the following information):
- DDG App Version: 5.67.0 sc (56700)
- Device: Oneplus 5
- OS: Android 9, OxygenOS version 9.0.11
Thanks for reporting.
I've been taking a look at the code to understand the issue here.
Turns out that when visiting a site with an invalid certificate after the user has visited a valid site, the WebView loads again the previous site. So, in this case, the issue here is that we are not updating the URL bar correctly.
For the record, we update the URL bar when:
- we detect a new site being loaded
- or, a site updating the URL (user forwarded or similar)
- or, based on a user input
In this case, the URL bar gets updated by a user input event. Because the site submitted has an invalid certificate, WebView loads the previous site again, we don't detect that as a "new site being loaded", and we don't update properly the URL bar.
Since we are not currently handling invalid certificates, the proper fix for the issue is to detect which site WebView has finally loaded and update the URL bar.
We are tracking this issue internally: https://app.asana.com/0/414730916066338/1198486065923453/f
Thanks for getting back to me.
That would certainly be an improvement, but I do think there should be some level of warning when a connection is stopped due to invalid certs. What you're proposing would put someone back to the previous page every time, which feels unexpected to me.
Yes, I do agree with you. We should show some kind of warning if we detect any issue related to an invalid certificate.
What you're proposing would put someone back to the previous page every time, which feels unexpected to me.
Yes, it was unexpected for me too. I didn't explain it correctly. That's WebView's default behavior. If WebView is moving the user back to the previous site, we should update the URL bar accordingly (at least as a quick fix). But that doesn't mean that we will not work on showing a warning when an invalid certificate is found too.
I've created another internal task proposing to warn users about invalid certificates: https://app.asana.com/0/414730916066338/1198502707847229/f
The behaviour is still present and occurring with 5.160.0 It can be tested with https://self-signed.badssl.com rather than the previously supplied domain above.