Closed Bug 38019 Opened 24 years ago Closed 8 years ago

[rfe] add PSM lock icon to password dialogs

Categories

(Core Graveyard :: Security: UI, enhancement, P4)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 333521

People

(Reporter: kennedyh, Unassigned)

References

Details

(Keywords: helpwanted, Whiteboard: [psm-padlock])

Attachments

(1 file, 2 obsolete files)

Patch to nsIAuthPrompt only
2.63 KB, patch
Details | Diff | Splinter Review 
this is branched out from bug 38008.

the password dialog should reflect whether or not it will be passing
the auth string over a secure connection or not.
Reassign to owner of Security:Crypto component.
Assignee: norris → dougt
Component: Security: General → Security: Crypto
Setting milestone to Future.
Target Milestone: --- → Future
Reassigning all https/cartman/security bugs to valeski.  He will be finding new 
owner(s).  This shift is so that I can focus on embedding issues.  If the new 
owner has questions that can not be resovled, I may be able to lend a (quick) 
hand.

over to valeski....
Assignee: dougt → valeski
Blocks: 48444
Re-assigning all valeski PSM bugs to ddrinan.
Assignee: valeski → ddrinan
nsbeta1
Assignee: ddrinan → javi
Keywords: nsbeta1
Mass changing of product. Browser:Security:Crypto --> PSM 2.0
Component: Security: Crypto → Client Library
Product: Browser → PSM
Target Milestone: Future → ---
Version: other → 2.0
Target Milestone: --- → 2.0
Keywords: helpwanted, ui
*** Bug 33184 has been marked as a duplicate of this bug. ***
*** Bug 76493 has been marked as a duplicate of this bug. ***
Mass reassigning target to 2.1
Target Milestone: 2.0 → 2.1
Keywords: nsenterprise
remove nsenterprise.
Keywords: nsenterprise
New Feature->P4
Priority: P3 → P4
Moving all P3 and P4 bugs targetted to 2.1 to future.
Target Milestone: 2.1 → Future
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
QA Contact: ckritzer → junruh
Blocks: 104166
I agree the password dialog should show whether the password will be transfered
securly or not. See also bug 143552, which is probably a duplicate.

*** Bug 143552 has been marked as a duplicate of this bug. ***
Keywords: nsbeta1
-> me
Assignee: javi → kaie
Keywords: nsbeta1nsbeta1+
I agree that a lock icon would be the nicest looking solution.
But at the moment, I don't want to spend at lot of time on this issue.

(We would have to go away from the current implementation of just using a simple
default dialog, and would have to implement a new XUL dialog, we would have to
query the security status of the initial connection attempt, etc. Sure, doable,
but not in 30 minutes.)


But still, I think it is important to give the user at least some feedback
whether the entered password will be sent with or without encryption.

I have a small patch that slightly extends the password prompt.
If the protocol is not http, it prefixes the hostname with protocol://

This seems reasonable to me, since we already suffix the displayed hostname with
a :port if the connection is to a non-standard port.


As a result:
If the user connects to a site without encryption, the message we display will
not change by this patch. The user will continue to see a message like:

  Enter username and password for "realm" at www.acme.com

If the connection is using https, the message will look like:

  Enter username and password for "realm" at https://www.acme.com


I created a test site at:

  http://www.kuix.de/misc/test35/
  https://www.kuix.de/misc/test35/

to see the port numbers in the prompt use:
  http://www.kuix.de:80/misc/test35/
  https://www.kuix.de:443/misc/test35/

  user: test35
  password: test35
Status: NEW → ASSIGNED
Attached patch Patch v1 (obsolete) — Splinter Review 
Darin, what do you think?
Comment on attachment 92880 [details] [diff] [review]
Patch v1

yeah, this seems like a good addition.	one thing though...  imagine FTP
proxied connections.  the scheme will be ftp://, but in reality the protocol is
http://. so do we want the dialog to say ftp:// or http:// and if we choose
ftp://, then what about the normal FTP password dialog?  should it also include
the text FTP (if it doesn't already)?
I think we should show show ftp:// - the patch does already do it.

I just tested, and with the patch and using a proxy, we indeed display the
prompt to enter both username and password, and it shows ftp:// already.

My tests show the FTP password prompt already prefixes the hostname with ftp://

If you want to see the current behaviour yourself:
- an internal proxy is carbuncle.mcom.com 8080
- connect to ftp://somebody@sweetlou.mcom.com/

So if we agree, that we show ftp://, we should be fine already.

there is another issue BTW... what about Digest authentication?  it is a secure
mechanism for transfering someones password.  however, it can be used with
normal HTTP connections.  so, in other words, the protocol scheme doesn't really
indicate the security level.
So the point is: Although one uses a http connection without an SSL encryption
wrapper, the password will not get transmitted as cleartext.

I'm still trying to keep it simple.

I extended the generic authenticator interface to support the scheme it is using
and make use of that in the http channel implementation. I temporarily thought
about making the implementor class of the authenticator return an additional
message on its own, but I did not want to add string bundle access to the
authenticator implementations.

As of now there are only basic and digest authentication, I suggest, if a digest
mechanism is in use, we append
  (uses digest authentication)
to the message.

I have created a digest auth test site at: http://www.kuix.de/misc/test35digest/
Attached patch Patch v2 (obsolete) — Splinter Review 

        Attachment #92880 -
        Attachment is obsolete: true

    
    

    
  
i don't think average users are going to understand what "using digest
authentication" means.  that is a very technical term.  can't we say using
secure authentication or something more general?  or what i'd really like is a
separate message saying either

  "Your username and password will be encrypted before being sent over the
Internet."

or

  "Your username and password will be sent over the Internet without encryption."

perhaps it's possible to extend nsIAuthPrompt to include a security flag?

    
    

    
  
I don't think the average user is able to understand what https means either.

If we want to show more detailed explanations in the dialog, we should not only
explain what digest authentication means, we should also explain what https
means when it is in effect.

And that leads to the question: What message should we show if both https and
digest authentication are in effect at the same time?


    
    

    
  
CC'ing Sean, since we are starting to talk about security wordings.


    
    

    
  
Let's try to agree before I create more patches.

New plan:

We currently say "Enter username and password for "realm" at www.acme.com"


1.) The first suggestion was to include the protocol for non-http authentication
like in "Enter username and password for "realm" at https://www.acme.com"

Any objections on adding the prefix?


2.) Adding the protocol is not enough information to help the user. We should
also say whether a protection will be used or whether secure authentication will
be used. In addition it was suggested to warn the user if none of these
mechanisms is in use.

New suggestion for the different scenarios (ignoring the protocol prefix above.):

2a) If there is neither https nor a digest/secure authentication in effect we
say: "Enter username and password for "realm" at https://www.acme.com. Your
username and password will be sent over the Internet without protection."

2b) If there is a secure digest authentication in effect, but we are not using
https: "Enter username and password for "realm" at https://www.acme.com. Your
username and password will be sent over the Internet using secure authentication."

2c) If we are going to use https, we assume that https is stronger than the
digest authentication. We will not mention the digest authentication, regardless
whether it is used or not. So with https we could say: "Enter username and
password for "realm" at https://www.acme.com. Your username and password will be
sent over an encrypted connection."

I wonder whether we should try to find a wording where we avoid having to say
"username and password" twice.


    
    

    
  
Ignoring the "https://" prefixes ;-) your 3 suggested wordings seem good to me.
 I'm not sure that it would all fit in the title of the window though.

nsIAuthPrompt isn't frozen, so we could look into adding an additional field.

    
    

    
  
Darin and me had a chat and agreed on the following:

- nsIAuthPrompt is used all over Mozilla, not only for http/ftp
- the implementation of nsIAuthPrompt should not have to deal with the message shown
- at this time, we don't want to change the implementation of nsIAuthPrompt to
show more security info besides the message we pass to it
- at a later time, someone might choose to extend the implementation of
nsIAuthPrompt to show additional info in the dialog, like lock icons or SSL
trust information
- the interface nsIAuthPrompt is not yet frozen, but it is likely it will be
soon. Because of that, if we want avoid complication, we should extend the
interface now
- we can extend the interface to include the security state
- we can pass over the security from the http/https code
- because nsIAuthPrompt is used all over Mozilla, it is not possible for me (in
a short time) to add the correct security state to all the other usages of that
interface
- therefore, we'll add a new parameter like SECURITY_UNKNOWN wherever I need to
change code outside of security/http to make it compile
- in addition, I think we should add more than one parameter. Besides an enum
like unknown/cleartext/obscured/digestauth/encryption we should also pass over
an optional nsISupports*, that may be null. We can use that later to pass over
SSL trust information


    
  

        Attachment #93303 -
        Attachment is obsolete: true

        Attachment #93303 -
        Flags: needs-work+

    
    

    
  


  
Darin, I would like to agree on the interface first. What do you think?

    
    

    
  
yeah, this is what i had in mind too :)

    
    

    
  
I see that implementations of nsIAuthPrompt mostly forward directly to nsIPrompt
and nsIPromptService.

Isn't it useless to change only nsIAuthPrompt, but not the other two?

I'm a bit scared by the amount of work required to change everything.

The sum of occurrences of prompt, Prompt, promptPassword, PromptPassword,
promptUsernameAndPassword, PromptUsernameAndPassword is => 533. I would have to
read and possibly extend 533 places in our code.

Even if we decided to only change nsIAuthPrompt, I still have to check that many
places, because without reading them, I don't know whether it is a call to
nsIAuthPrompt or something else, and whether it needs a change.

I want to give up for now and push this bug back, unless we agree it's a higher
priority or agree on a simpler solution.

Keywords: nsbeta1+nsbeta1

    
    

    
  
ultimately, nsIAuthPrompt doesn't need to be implemented as calls to nsIPrompt.
 it could be implemented differently, or it could be implemented just as it is
today.  by making the API changes to nsIAuthPrompt, you push the burden of how
the security state is conveyed to the user up and out of networking (where it
rightfully doesn't belong).  as an intermediate solution, can't you append some
warning text to the text supplied by the caller of nsIAuthPrompt?  it could be a
separate sentence, making it less likely to break internationalization, right? 
how about a couple newline chars or something to completely break it away from
the existing text?

    
    

    
  
The SECURITY_* values should reflect the strength of the protection, not the
particular mechanisms used.

Security is desinged around a threat model.  A threat model enumerates and
classifies the types of attacks, their estimated costs to the attacker, and
their costs to the victim.  One then implements countermeasures to the specific
attacks.

The interesting information to the user is not so much which particular
countermeasures are being taken, but which class of attacks they are vulnerable
to.  For authentications, the interesting attacks are:

1) Passive eavesdropping -- The attacker taps the network and retrieves the
password as it goes by.
2) Offline dictionary attack -- The attacker taps the network and retrieves
information useful in performing a dictionary attack against the user's password.
3) Spoofing or interception attack -- The attacker pretends to be the server or
modifies the communications between the client and the server and is able to
trick the client into sending it information from which the password may be
retrieved.
4) Connection hijacking -- The attacker permits the client to authenticate to
the server then takes over the connection, using the client's authentication to
send its own set of commands to the server.

Both digest and SSL (with sufficiently large key sizes and a valid cert) protect
the password against attacks 1-3.  SSL also protects against attack 4.  There
are mechanisms (such as APOP and CRAM-MD5) which protect against only 1 and 3.

"Obscuring" offers no protection whatsoever.  It shouldn't be called out as a
separate value.

SSL can offer either weak or strong protection against 1, depending on the size
of the stream cipher.  These two levels of protection should be called out
separately, as they are for browser windows.  (It can also provide weak
protection against 3, but that is related to bug 134735.)





    
    

    
  
it is necessary but not sufficient to list the strength of the protection.
you must also at least provide means for interested parties to determine the
mechanism of protection, as what was "highly secure" when the software was
shipped may have been exposed as broken yesterday.

good threat models are not static :-)

    
    

    
  
this also affects mail. (imap, pop, smtp, news, snews, ...)
Keywords: mozilla1.2
Target Milestone: Future → ---

    
  
Keywords: mozilla1.2, 
          
            nsbeta1
Target Milestone: --- → Future

    
  
Keywords: nsbeta1
Version: 2.0 → 2.4

    
    

    
  
*** Bug 189582 has been marked as a duplicate of this bug. ***

    
  
QA Contact: junruh → bmartin

    
    

    
  
*** Bug 204992 has been marked as a duplicate of this bug. ***

    
    

    
  
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-

    
    

    
  
*** Bug 227362 has been marked as a duplicate of this bug. ***

    
  
Product: PSM → Core

    
    

    
  
*** Bug 322703 has been marked as a duplicate of this bug. ***
QA Contact: bmartin → ui

    
  
Version: psm2.4 → 1.0 Branch

    
  
Assignee: kaie → nobody
Whiteboard: [psm-padlock]
Target Milestone: Future → ---

    
  
Status: ASSIGNED → NEW
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: