Closed Bug 1135766 Opened 6 years ago Closed 6 years ago

Provide an indication to the user when they are on an HTTP login form

Categories

(Toolkit :: Password Manager, defect, P1)

defect
Points:
5

Tracking

()

RESOLVED FIXED
Iteration:
41.2 - Jun 8

People

(Reporter: tanvi, Assigned: agrigas)

References

Details

(Whiteboard: [fxprivacy] [ux])

Attachments

(1 file)

On Firefox Developer Edition, when the developer visits an HTTP page with a password field on it, alert them that entering their password here is insecure and that it can be read in cleartext.  If this is their own site, they can fix the issue by moving their login forms to HTTPS.  If not, we can ask them to try the HTTPS version of the page instead.

Ryan and I have been working on the UX for this.  Some ideas at https://www.lucidchart.com/documents/view/87ab1cc8-e708-49d3-8b91-6e2e6da346fb/4 under the "Anchor" and "Deprecated Tabs".
Tanvi, can this be done any time the user enables the dev tools rather than just Dev Edition?
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #1)
> Tanvi, can this be done any time the user enables the dev tools rather than
> just Dev Edition?

I'd like it to be an about:config pref that is always on for developer edition and that addons or users can choose to turn on.

In addition, we could add code that enables this feature when developer tools are open, regardless of the about:config pref.  And, although hairy, perhaps with an about:config pref of it's own.  I think we should do the general pref first and then we can extend to this.

This bug is for UX.
Whiteboard: [ux]
Hi Philipp,

This is the work Ryan and I have been working on that I mentioned yesterday.  I'd like to show a warning to the user when password fields appear on HTTP pages.  We've been brainstorming ideas and have a draft here under the "Anchor" tab and also some under the "deprecated" tab:
https://www.lucidchart.com/documents/view/87ab1cc8-e708-49d3-8b91-6e2e6da346fb/16
Blocks: 748193
Assignee: rfeeley → agrigas
Whiteboard: [ux] → [ux]
This strikes me as giving dangerously wrong advice. Sending passwords via http is not necessarily insecure. Conversely, sending them via https does not automatically make them secure. 

The worst possible security scenario is where passwords are stored in plaintext on the host, and this is exactly what is being encouraged by suggesting that https equals satisfactory password security.
Attached image mvp v1.png
MVP version with new icon (pending visual design) and control panel feedback on click.
Blocks: 1170621
Status: NEW → ASSIGNED
Iteration: --- → 41.2 - Jun 8
Points: --- → 5
Flags: qe-verify-
Flags: firefox-backlog+
Whiteboard: [ux] → [fxprivacy] [ux]
Duplicate of this bug: 261294
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Rank: 4
Priority: -- → P1
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.