Closed Bug 119114 Opened 18 years ago Closed 13 years ago

logging into hotmail: 6 dialogs

Categories

(Core :: Security, defect, major)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dveditz)

References

Details

(Keywords: meta) 

Logging into Hotmail with a new profile yields 5 or 6 dialogs.  My dad, who 
tried to use his Hotmail account shortly after I installed Mozilla on his 
computer, was not impressed.  These are the dialogs:

1. Confirm: "Password manager can remember this logon and enter it 
automatically the next time you return to this website.  Do you want password 
manager to remember this logon?"
  [Yes] [No] [Never for this site]

2. If I select 'yes', I get another dialog explaining how password storage 
works.  (Bug 43503)
  [OK]

3. Security Warning: "The information you have entered is to be sent over an 
unencrypted connection and could easily be read by a third party.  Are you sure 
you want to continue sending this information?"  (Note that #3 is really an 
https form in an http page. Bug 96556 covers the inaccurate warning.)
  [Continue] [Cancel].

4. Security Warning (!): "You have requested an encrypted page.  The web site 
has identified itself correctly, and information you see or enter on this page 
can't easily be read by a third party."
  [OK]

5. Security Warning: "Although this page is encrypted, the information you have 
entered is to be sent over an unencrypted connection and could easily be read 
by a third party.  Are you sure you want to continue sending this information?"
  [Continue] [Cancel]

6. Security Warning: "You are about to leave an encrypted page.  Information 
you send or receive from now on could easily be read by a third party."
  [OK]


While most of these dialogs are one-time or can be "unchecked" easily, #5 never 
goes away, so the user will see it each time he logs into Hotmail.


Sub-bugs:
bug 43503  Remove dialog #2 
  [cf Steve Morse's comment, bug 44042 comment 3 and again in bug 43503 comment 
1]
bug 96556  Fix inaccuracy in #3
bug 119111 Make #4 less confusing
bug 119112 Make #4, #5, and #6 not appear in the fast-redirect case.

If the last bug can't be fixed, we'll have to evang microsoft to use a 
different login procedure (which will be especially difficult given that 
hotmail == passport == .net).

Fixing the four sub-bugs would leave us with #1 (usually shown once per site) 
and a modified #3 (usually already "unchecked").
Depends on: 43503, 96556, 119111, 119112
Keywords: meta
The people you should have cc'd on this report are Bob Lord's security team 
since they are responsible for the bulk of these dialogs -- namely 3, 4, 5, and 
6.
For the record, there have been several bug reports about the CYA dialog for 
saving sensitive information.  Here is a cross-reference list of them:

043503: Bad UI in "Saving Sensitive Information" dialog
102288: Wordings for password manager are specific to the application
117552: opening Site with PW opens annoyance window
117989: Save password shows alert that is vague
119114: logging into hotmail: 6 dialogs


Noticed this as well. I installed the latest Mozilla build on this fresh Win2000
install and I went to Hotmail, I didn't know whether to laugh or cry. Being
swamped with so many confirmation dialogs was definately not fun.
It will be interesting to hear if customers using embedded browsers have to say
also. I find the security warnings very confusing (particularly as many/most web
mail services mix secure and insecure content on a page so the warning about
content being read by anyone is very scary.) 

I believe these warnings are turned off by default in IE.
mls: please help.
Assignee: mpt → mstoltz
Component: User Interface Design → Security: General
QA Contact: zach → bsharma
cc patricec for UE eval, nominating for Buffy
Keywords: nsbeta1
No longer depends on: 119111
What about having one single dialog for security issues with the option 'Show me
again'?
Blocks: MS
Just logged in to netscape web mail. Got one popup informing and 4 popup with
warnings. 5 popups for just logging in to a web mail, scary!
OS: Windows 98 → All
Hardware: PC → All
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-
The new 1.4 Build will not allow me to access my hotmail account
I'm fine with 2004010908. Reporter, are you still seeing this problem?
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
I only get two dialogs with Firefox trunk and a new profile: entering an encrypted page and leaving an encrypted page.  Both dialogs are one-time by default.

Are there plans to remove or disable those dialogs?  I don't think they're useful.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Yes, see bug 341472.
Depends on: 341472
You need to log in before you can comment on or make changes to this bug.