Closed
Bug 1185145
Opened 10 years ago
Closed 3 years ago
Firefox should warn if using HTTP basic auth without TLS
Categories
(Firefox :: Security, defect, P3)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 333521
People
(Reporter: soft, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-needed, site-compat, Whiteboard: [fxprivacy])
Attachments
(1 file)
|
27.84 KB,
image/png
|
Details |
Current UI
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
Steps to reproduce:
Visit a site with HTTP basic authentication (rfc-2617)
Actual results:
A user is prompted for a username and password with no prominent indication that credentials may be sent in cleartext
Expected results:
If no TLS is in place, there should be an extra warning or mollyguard that warns users about the risk of plaintext transmission
|
||
Updated•9 years ago
|
Whiteboard: [fxprivacy] [triage]
|
|
||
Updated•9 years ago
|
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
|
|
||
Comment 1•9 years ago
|
||
Reviewed at the team planning meeting. Determined to be non-MVP work and moved to our maintenance meta.
|
||
Updated•9 years ago
|
Component: Untriaged → Security
|
||
Comment 2•9 years ago
|
||
Bryan, what do you suggest for warning the users that the login is insecure? It would be easy to change the icon and/or add some text to the strings (using existing formatting and no line breaks. Other changes are more complex because this dialog's markup and logic are shared with many other Fx dialogs.
On a related note, is there a reason we can't use the key icon instead of the question mark on all platforms? https://mxr.mozilla.org/mozilla-central/find?string=key-64.png&tree=mozilla-central We currently only use a key icon on Linux (from bug 426689).
Flags: needinfo?(bbell)
|
||
Updated•9 years ago
|
Keywords: dev-doc-needed,
site-compat
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 3•8 years ago
|
||
Would be great to get this fixed.
At present users appear to have literally no way at all of distinguishing between digest-auth-over-http, and basic-auth-over-http (eg as a result of downgrading by a MITM).
Not only are the dialogs identical, but even browsing with the network tab open doesn't help, because the response headers are not shown until the password has been sent and it's too late.
This is therefore a serious security issue, albeit one that only affect sites that don't or can't use TLS.
As for suggested wording, see this suggestion from 2006:
https://bugzilla.mozilla.org/show_bug.cgi?id=333521
Since this bug has gone unfixed for many years already, can anyone recommend an extension that solves the issue? Or offer another way in which authentication type (basic/digest/etc) can be detected *before* entering the password? I need a workaround ASAP.
(Yes, I know simply using TLS would be best practice, but I don't have that option).
Thanks.
|
|
||
Updated•4 years ago
|
Flags: needinfo?(bbell)
|
||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•