1229745 - Delete/upgrade HTTP passwords, if website is HTTPS only via redirect / HSTS

Status: NEW

(Toolkit :: Password Manager, enhancement, P3)

Description

[Ben Bucksch (:BenB)]

Given:
* A large website with webmail service (e.g. mail.com or Yahoo) was previously http and had its login form there. Millions of users have their password stored in Firefox Password Manager under http://mail.com .
* The website migrates to https://mail.com , by doing a simple HTTP redirect.
* The user continues to enter "mail.com" in the URLbar.
* An attacker (e.g. on a Wifi network or by changing DNS) lets DNS mail.com point to an attacker website

That means:
* The Firefox Password Manager will happily fill in the password into http://mail.com and the attacker gets the password.

Solution:
Option 1 (this bug)

If Firefox detects that a website
1. redirects http path = "/") to https OR
2. uses HSTS
then delete any password manager entries for http, after migrating them to https (bug 667233).

Option 2: HSTS
Is HSTS is enabled, the browser would never go to http version of the website anyways. That would also solve the issue. However:
* It needs to be implemented by the website. There might be reasons why they won't (yet).
* HSTS is not bullet-proof, because it has an expiry.
Thus, this bug (option 1 above) would be a good addition that improves security.