Firefox should warn if using HTTP basic auth without TLS

RESOLVED INACTIVE

Status

()

Firefox
Security
P3
normal
RESOLVED INACTIVE
3 years ago
2 days ago

People

(Reporter: soft, Unassigned, NeedInfo)

Tracking

(Blocks: 1 bug, {dev-doc-needed, site-compat})

Trunk
dev-doc-needed, site-compat
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxprivacy])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36

Steps to reproduce:

Visit a site with HTTP basic authentication (rfc-2617)


Actual results:

A user is prompted for a username and password with no prominent indication that credentials may be sent in cleartext


Expected results:

If no TLS is in place, there should be an extra warning or mollyguard that warns users about the risk of plaintext transmission

Updated

3 years ago
Blocks: 1188121

Updated

3 years ago
Whiteboard: [fxprivacy] [triage]

Updated

3 years ago
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]

Updated

3 years ago
Blocks: 1217142
Reviewed at the team planning meeting.  Determined to be non-MVP work and moved to our maintenance meta.
Blocks: 1216897
No longer blocks: 1188121

Updated

2 years ago
Component: Untriaged → Security
Created attachment 8741967 [details]
Current UI

Bryan, what do you suggest for warning the users that the login is insecure? It would be easy to change the icon and/or add some text to the strings (using existing formatting and no line breaks. Other changes are more complex because this dialog's markup and logic are shared with many other Fx dialogs.

On a related note, is there a reason we can't use the key icon instead of the question mark on all platforms? https://mxr.mozilla.org/mozilla-central/find?string=key-64.png&tree=mozilla-central We currently only use a key icon on Linux (from bug 426689).
Flags: needinfo?(bbell)

Updated

2 years ago
Keywords: dev-doc-needed, site-compat
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 3

a year ago
Would be great to get this fixed.

At present users appear to have literally no way at all of distinguishing between digest-auth-over-http, and basic-auth-over-http (eg as a result of downgrading by a MITM).

Not only are the dialogs identical, but even browsing with the network tab open doesn't help, because the response headers are not shown until the password has been sent and it's too late.

This is therefore a serious security issue, albeit one that only affect sites that don't or can't use TLS.

As for suggested wording, see this suggestion from 2006:
https://bugzilla.mozilla.org/show_bug.cgi?id=333521

Since this bug has gone unfixed for many years already, can anyone recommend an extension that solves the issue? Or offer another way in which authentication type (basic/digest/etc) can be detected *before* entering the password? I need a workaround ASAP.

(Yes, I know simply using TLS would be best practice, but I don't have that option).

Thanks.

Comment 4

2 days ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Last Resolved: 2 days ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.