Provide an indication to the user when they are on an HTTP login form

RESOLVED FIXED

Status

()

defect
P1
normal
Rank:
4
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: tanvi, Assigned: agrigas)

Tracking

unspecified
Points:
5
Dependency tree / graph
Bug Flags:
firefox-backlog +
qe-verify -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxprivacy] [ux])

Attachments

(1 attachment)

On Firefox Developer Edition, when the developer visits an HTTP page with a password field on it, alert them that entering their password here is insecure and that it can be read in cleartext.  If this is their own site, they can fix the issue by moving their login forms to HTTPS.  If not, we can ask them to try the HTTPS version of the page instead.

Ryan and I have been working on the UX for this.  Some ideas at https://www.lucidchart.com/documents/view/87ab1cc8-e708-49d3-8b91-6e2e6da346fb/4 under the "Anchor" and "Deprecated Tabs".
Tanvi, can this be done any time the user enables the dev tools rather than just Dev Edition?
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #1)
> Tanvi, can this be done any time the user enables the dev tools rather than
> just Dev Edition?

I'd like it to be an about:config pref that is always on for developer edition and that addons or users can choose to turn on.

In addition, we could add code that enables this feature when developer tools are open, regardless of the about:config pref.  And, although hairy, perhaps with an about:config pref of it's own.  I think we should do the general pref first and then we can extend to this.

This bug is for UX.
Whiteboard: [ux]
Hi Philipp,

This is the work Ryan and I have been working on that I mentioned yesterday.  I'd like to show a warning to the user when password fields appear on HTTP pages.  We've been brainstorming ideas and have a draft here under the "Anchor" tab and also some under the "deprecated" tab:
https://www.lucidchart.com/documents/view/87ab1cc8-e708-49d3-8b91-6e2e6da346fb/16
Blocks: 748193
Assignee: rfeeley → agrigas
Whiteboard: [ux] → [ux]
This strikes me as giving dangerously wrong advice. Sending passwords via http is not necessarily insecure. Conversely, sending them via https does not automatically make them secure. 

The worst possible security scenario is where passwords are stored in plaintext on the host, and this is exactly what is being encouraged by suggesting that https equals satisfactory password security.
Posted image mvp v1.png
MVP version with new icon (pending visual design) and control panel feedback on click.
Blocks: 1170621
Status: NEW → ASSIGNED
Iteration: --- → 41.2 - Jun 8
Points: --- → 5
Flags: qe-verify-
Flags: firefox-backlog+
Whiteboard: [ux] → [fxprivacy] [ux]
Duplicate of this bug: 261294
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Rank: 4
Priority: -- → P1
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.