Closed Bug 119114 Opened 18 years ago Closed 13 years ago
logging into hotmail: 6 dialogs
Logging into Hotmail with a new profile yields 5 or 6 dialogs. My dad, who tried to use his Hotmail account shortly after I installed Mozilla on his computer, was not impressed. These are the dialogs: 1. Confirm: "Password manager can remember this logon and enter it automatically the next time you return to this website. Do you want password manager to remember this logon?" [Yes] [No] [Never for this site] 2. If I select 'yes', I get another dialog explaining how password storage works. (Bug 43503) [OK] 3. Security Warning: "The information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?" (Note that #3 is really an https form in an http page. Bug 96556 covers the inaccurate warning.) [Continue] [Cancel]. 4. Security Warning (!): "You have requested an encrypted page. The web site has identified itself correctly, and information you see or enter on this page can't easily be read by a third party." [OK] 5. Security Warning: "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?" [Continue] [Cancel] 6. Security Warning: "You are about to leave an encrypted page. Information you send or receive from now on could easily be read by a third party." [OK] While most of these dialogs are one-time or can be "unchecked" easily, #5 never goes away, so the user will see it each time he logs into Hotmail. Sub-bugs: bug 43503 Remove dialog #2 [cf Steve Morse's comment, bug 44042 comment 3 and again in bug 43503 comment 1] bug 96556 Fix inaccuracy in #3 bug 119111 Make #4 less confusing bug 119112 Make #4, #5, and #6 not appear in the fast-redirect case. If the last bug can't be fixed, we'll have to evang microsoft to use a different login procedure (which will be especially difficult given that hotmail == passport == .net). Fixing the four sub-bugs would leave us with #1 (usually shown once per site) and a modified #3 (usually already "unchecked").
The people you should have cc'd on this report are Bob Lord's security team since they are responsible for the bulk of these dialogs -- namely 3, 4, 5, and 6.
For the record, there have been several bug reports about the CYA dialog for saving sensitive information. Here is a cross-reference list of them: 043503: Bad UI in "Saving Sensitive Information" dialog 102288: Wordings for password manager are specific to the application 117552: opening Site with PW opens annoyance window 117989: Save password shows alert that is vague 119114: logging into hotmail: 6 dialogs
Noticed this as well. I installed the latest Mozilla build on this fresh Win2000 install and I went to Hotmail, I didn't know whether to laugh or cry. Being swamped with so many confirmation dialogs was definately not fun.
It will be interesting to hear if customers using embedded browsers have to say also. I find the security warnings very confusing (particularly as many/most web mail services mix secure and insecure content on a page so the warning about content being read by anyone is very scary.) I believe these warnings are turned off by default in IE.
mls: please help.
Assignee: mpt → mstoltz
Component: User Interface Design → Security: General
QA Contact: zach → bsharma
cc patricec for UE eval, nominating for Buffy
What about having one single dialog for security issues with the option 'Show me again'?
Just logged in to netscape web mail. Got one popup informing and 4 popup with warnings. 5 popups for just logging in to a web mail, scary!
OS: Windows 98 → All
Hardware: PC → All
The new 1.4 Build will not allow me to access my hotmail account
I'm fine with 2004010908. Reporter, are you still seeing this problem?
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
I only get two dialogs with Firefox trunk and a new profile: entering an encrypted page and leaving an encrypted page. Both dialogs are one-time by default. Are there plans to remove or disable those dialogs? I don't think they're useful.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.