Open Bug 1229745 Opened 5 years ago Updated 11 months ago

Delete/upgrade HTTP passwords, if website is HTTPS only via redirect / HSTS

Categories

(Toolkit :: Password Manager, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: BenB, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: security:passwords)

Given:
* A large website with webmail service (e.g. mail.com or Yahoo) was previously http and had its login form there. Millions of users have their password stored in Firefox Password Manager under http://mail.com .
* The website migrates to https://mail.com , by doing a simple HTTP redirect.
* The user continues to enter "mail.com" in the URLbar.
* An attacker (e.g. on a Wifi network or by changing DNS) lets DNS mail.com point to an attacker website

That means:
* The Firefox Password Manager will happily fill in the password into http://mail.com and the attacker gets the password.

Solution:
Option 1 (this bug)

If Firefox detects that a website
1. redirects http path = "/") to https OR
2. uses HSTS
then delete any password manager entries for http, after migrating them to https (bug 667233).

Option 2: HSTS
Is HSTS is enabled, the browser would never go to http version of the website anyways. That would also solve the issue. However:
* It needs to be implemented by the website. There might be reasons why they won't (yet).
* HSTS is not bullet-proof, because it has an expiry.
Thus, this bug (option 1 above) would be a good addition that improves security.
Blocks: 1118400
Priority: -- → P3
Summary: Delete http passwords, if website is https only via HTTP redirect → Delete HTTP passwords, if website is HTTPS only via redirect / HSTS
Whiteboard: security:passwords
Summary: Delete HTTP passwords, if website is HTTPS only via redirect / HSTS → Delete/upgrade HTTP passwords, if website is HTTPS only via redirect / HSTS
You need to log in before you can comment on or make changes to this bug.