Closed
Bug 1135766
Opened 10 years ago
Closed 10 years ago
Provide an indication to the user when they are on an HTTP login form
Categories
(Toolkit :: Password Manager, defect, P1)
Toolkit
Password Manager
Tracking
()
RESOLVED
FIXED
Iteration:
41.2 - Jun 8
People
(Reporter: tanvi, Assigned: agrigas)
References
Details
(Whiteboard: [fxprivacy] [ux])
Attachments
(1 file)
476.79 KB,
image/png
|
Details |
On Firefox Developer Edition, when the developer visits an HTTP page with a password field on it, alert them that entering their password here is insecure and that it can be read in cleartext. If this is their own site, they can fix the issue by moving their login forms to HTTPS. If not, we can ask them to try the HTTPS version of the page instead.
Ryan and I have been working on the UX for this. Some ideas at https://www.lucidchart.com/documents/view/87ab1cc8-e708-49d3-8b91-6e2e6da346fb/4 under the "Anchor" and "Deprecated Tabs".
Comment 1•10 years ago
|
||
Tanvi, can this be done any time the user enables the dev tools rather than just Dev Edition?
Reporter | ||
Comment 2•10 years ago
|
||
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #1)
> Tanvi, can this be done any time the user enables the dev tools rather than
> just Dev Edition?
I'd like it to be an about:config pref that is always on for developer edition and that addons or users can choose to turn on.
In addition, we could add code that enables this feature when developer tools are open, regardless of the about:config pref. And, although hairy, perhaps with an about:config pref of it's own. I think we should do the general pref first and then we can extend to this.
This bug is for UX.
Whiteboard: [ux]
Reporter | ||
Comment 3•10 years ago
|
||
Hi Philipp,
This is the work Ryan and I have been working on that I mentioned yesterday. I'd like to show a warning to the user when password fields appear on HTTP pages. We've been brainstorming ideas and have a draft here under the "Anchor" tab and also some under the "deprecated" tab:
https://www.lucidchart.com/documents/view/87ab1cc8-e708-49d3-8b91-6e2e6da346fb/16
Assignee | ||
Updated•10 years ago
|
Assignee: rfeeley → agrigas
Whiteboard: [ux] → [ux]
Comment 4•10 years ago
|
||
This strikes me as giving dangerously wrong advice. Sending passwords via http is not necessarily insecure. Conversely, sending them via https does not automatically make them secure.
The worst possible security scenario is where passwords are stored in plaintext on the host, and this is exactly what is being encouraged by suggesting that https equals satisfactory password security.
Assignee | ||
Comment 5•10 years ago
|
||
MVP version with new icon (pending visual design) and control panel feedback on click.
Updated•10 years ago
|
Blocks: 1170621
Status: NEW → ASSIGNED
Iteration: --- → 41.2 - Jun 8
Points: --- → 5
Flags: qe-verify-
Flags: firefox-backlog+
Whiteboard: [ux] → [fxprivacy] [ux]
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Rank: 4
Priority: -- → P1
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•