Mobile app version of vmapp.org
Login or Join
YK1175434

: How can different paths on the same domain have different TLS encryption? Take for example this major Swedish newspaper, Dagens Nyheter (literally Today's News). Their web page is available over

@YK1175434

Posted in: #Https

Take for example this major Swedish newspaper, Dagens Nyheter (literally Today's News). Their web page is available over HTTPS at www.dn.se/ and, in Firefox, shows as "secure connection" using the TLS 1.2 cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 when I tried it just now.

They also offer a RSS news feed at www.dn.se/nyheter/rss. When I browse to that URL with the exact same browser, it shows as "not secure", and Firefox reports "connection not encrypted" in the page information security tab.

How is this even possible? It's the same protocol (HTTPS), same host name (www.dn.se), same port (default 443), same (presumably!) certificate validation going on in the browser. The path portion of the URL isn't transmitted until after the TLS session has been set up. How can different paths on the same publicly-visible host name consistently result in different levels of TLS security like this?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @YK1175434

1 Comments

Sorted by latest first Latest Oldest Best

 

@Karen161

It is possible in theory because each visit to a different URL may be a new TLS connection hence a new TLS handshake and exchange of certificates/keys/ciphers choices/etc... Also, even if not desirable of course, there is an existing mode of TLS setup with in fact no encryption at all.

My browser does in fact display also Insecure connection for the RSS feed, which makes me wonder as other low level tools do not. Also chromium shows the page as secure. So I more and more think it is a problem related to Firefox.
Also SSLLabs gives an A+ to the site related to its TLS configuration, so I more and more think of a specific Firefox issue.

Found it, it is specific to Firefox: bugzilla.mozilla.org/show_bug.cgi?id=337897
In short, there is a smart included RSS reader into Firefox, it loads your URL just fine and securely but then use a local application in a jar file to display nicely the RSS output, and this specific module is deemed to be insecure.
Hence the final error message from Firefox is completely misleading and it is a shame they are leaving it as is since so many years (see the bug report quoted above). They even decided they will not fix it at all, supposeddly because this feed reader is "demoted" inside Firefox since a long time ago.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme