User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36 Steps to reproduce: Visit a site with HTTP basic authentication (rfc-2617) Actual results: A user is prompted for a username and password with no prominent indication that credentials may be sent in cleartext Expected results: If no TLS is in place, there should be an extra warning or mollyguard that warns users about the risk of plaintext transmission
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
Reviewed at the team planning meeting. Determined to be non-MVP work and moved to our maintenance meta.
Created attachment 8741967 [details] Current UI Bryan, what do you suggest for warning the users that the login is insecure? It would be easy to change the icon and/or add some text to the strings (using existing formatting and no line breaks. Other changes are more complex because this dialog's markup and logic are shared with many other Fx dialogs. On a related note, is there a reason we can't use the key icon instead of the question mark on all platforms? https://mxr.mozilla.org/mozilla-central/find?string=key-64.png&tree=mozilla-central We currently only use a key icon on Linux (from bug 426689).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Would be great to get this fixed. At present users appear to have literally no way at all of distinguishing between digest-auth-over-http, and basic-auth-over-http (eg as a result of downgrading by a MITM). Not only are the dialogs identical, but even browsing with the network tab open doesn't help, because the response headers are not shown until the password has been sent and it's too late. This is therefore a serious security issue, albeit one that only affect sites that don't or can't use TLS. As for suggested wording, see this suggestion from 2006: https://bugzilla.mozilla.org/show_bug.cgi?id=333521 Since this bug has gone unfixed for many years already, can anyone recommend an extension that solves the issue? Or offer another way in which authentication type (basic/digest/etc) can be detected *before* entering the password? I need a workaround ASAP. (Yes, I know simply using TLS would be best practice, but I don't have that option). Thanks.
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Last Resolved: 2 days ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.