Closed Bug 1349681 Opened 7 years ago Closed 2 years ago

Show the lock with a strike-through in the address bar when insecure credit card fields are present

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr45 --- wontfix
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- affected

People

(Reporter: christoph.suter, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Keywords: sec-want, Whiteboard: [form autofill])

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170316213829

Steps to reproduce:

http://http-credit-card.badssl.com/

This is a security check site. Firefox warns when Logins would be sent over http but not for Credit card forms.


Actual results:

just a test site


Expected results:

Firefox should warn user when credit card information would be sent over http.
(This is basically bug 1217142 but for credit card fields.)
Product: Core → Firefox
Summary: Cradit Crad form over http no warning → implement insecure form warning for credit card fields
Version: 51 Branch → unspecified
Whiteboard: [sec-insecure-third-party-site-reviewed]
Blocks: 1217142
Status: UNCONFIRMED → NEW
Has STR: --- → yes
Ever confirmed: true
Pretty sure we already had a bug on file for this but I can't find it now.

The Form Autofill team is working on this and it will be implemented at the same time as credit card autofill (for secure sites).
Whiteboard: [sec-insecure-third-party-site-reviewed] → [sec-insecure-third-party-site-reviewed] [DUPEME] [Form Autofill]
Bug 46590?
No, I saw that one but it's technically asking for a different thing and I wasn't sure if I wanted to change the meaning of that or if we want to ever do what it's suggesting.
I'm thinking of one already mentioning the autofill team/whiteboard.
Whiteboard: [sec-insecure-third-party-site-reviewed] [DUPEME] [Form Autofill] → [form autofill:M4]
See Also: → 46590
This should be in M3 since it likely requires changes outside of the autofill system extension to add an API to tell the address bar about the insecure credit card form.

This also requires new strings in the identity panel.

Juwei, can you specify the behaviour and strings (including the subview) for this on https://mozilla.invisionapp.com/share/7ZA4WEK9W#/screens/215537988

A credit card test page is at http://http-credit-card.badssl.com/ and you can see what we do with insecure logins forms at http://http-login.badssl.com/
Depends on: 1371149
Flags: needinfo?(jhuang)
OS: Unspecified → All
Hardware: Unspecified → All
Summary: implement insecure form warning for credit card fields → Show the lock with a strike-through in the address bar when insecure credit card fields are present
Whiteboard: [form autofill:M4] → [form autofill:M3]
In the spec, When the cursor focuses on the field, the warning note will be shown below the field. And the string is mostly telling users that autofill is disabled.
However, if we want to tell users that the whole website is insecure no matter using autofill or not, I guess a warning icon on address bar is also helpful.
Need info Ryan to see if he knows any similar behavior in password management and also control center ux Jacqueline.
Flags: needinfo?(rfeeley)
Flags: needinfo?(jsavory)
Flags: needinfo?(jhuang)
For logins, the insecure form warning appears at the same time as the lock in the URL bar.

See this example:
http://mysqueezebox.com/user/login

We should do the same for credit cards. It helps users connect the form dropdown (that looks like web content) with Firefox theb browser.

We can reuse the string from the insecure credit card dropdown in the control center panel too.
Flags: needinfo?(rfeeley)
Flags: needinfo?(jsavory)
Although it looks like we could sync up the behavior from password manager part, I think there's still some details and missing parts that need to be clarified:
 
For Juwei:
- In the original insecure password entry, there's a "more information" button in the next panel that will trigger a page info panel. I guess it's not necessary for credit card case. Could you confirm that whether we'll need this button or not?

- Could I reuse the string in insecure password entry and set:
  "Credit card number entered on this page could be compromised." in the first panel and
  "This credit card information you enter on this page is not secure and could be compromised." in the next panel

- There might be an edge case that the insecure page contains both password field and credit card form. Should we merge these two information in one entry, or show 2 identical entries separately?

For Vance:
- There already existed an insecure sumo page[1] for insecure password warning case. Even the content could be overlapped in credit card case, we might still need another page for insecure credit card warning. Could you please file a bug for it and notify sumo team about this? Bug 1371149 will also need this learn more page.

[1] https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox?as=u&utm_source=inproduct
Flags: needinfo?(vchen)
Flags: needinfo?(jhuang)
Assignee: nobody → schung
UX spec updated for this bug: https://mozilla.invisionapp.com/share/SRCKHSUG5#/243538165_3-1-2

(In reply to Steve Chung [:steveck] from comment #10)
> Although it looks like we could sync up the behavior from password manager
> part, I think there's still some details and missing parts that need to be
> clarified:
>  
> For Juwei:
> - In the original insecure password entry, there's a "more information"
> button in the next panel that will trigger a page info panel. I guess it's
> not necessary for credit card case. Could you confirm that whether we'll
> need this button or not?

Since credit card autofill data is not specifically for the web page. I agree we don't need this button.

> 
> - Could I reuse the string in insecure password entry and set:
>   "Credit card number entered on this page could be compromised." in the
> first panel and
>   "This credit card information you enter on this page is not secure and
> could be compromised." in the next panel

Looks good to me! Will ask for copy review.

> 
> - There might be an edge case that the insecure page contains both password
> field and credit card form. Should we merge these two information in one
> entry, or show 2 identical entries separately?

I don't have strong opinion on it. It can be control center's UX call.
Need info Jacqueline for more inputs.

> 
> For Vance:
> - There already existed an insecure sumo page[1] for insecure password
> warning case. Even the content could be overlapped in credit card case, we
> might still need another page for insecure credit card warning. Could you
> please file a bug for it and notify sumo team about this? Bug 1371149 will
> also need this learn more page.
> 
> [1]
> https://support.mozilla.org/en-US/kb/insecure-password-warning-
> firefox?as=u&utm_source=inproduct
Assignee: schung → nobody
Flags: needinfo?(jhuang) → needinfo?(jsavory)
I'm thinking that combining the messaging in the control center would be better than having two separate pieces. Something like "Credit cards and logins entered on this page could be compromised." 

The only piece I'm wondering about is if the 'learn more' button on the second panel leads to the same place for both credit cards and logins? If not, I'm thinking that on the second panel we could separate them out, if they do however we could combine them there as well. 

NI? to Ryan to see if he agrees with this approach.
Flags: needinfo?(jsavory) → needinfo?(rfeeley)
Just leave a note for current limitation while implementing credit card insecure warning: Right now we won't check whether page has credit card form or not until any input field focused, which means user can't not see the lock in the address bar before typing. It's because of the performance issue in bug 1364477 and we delay the form identification process for reducing page loading time.

Since we'll have bug 1371149 that displays a insecure warning in the drop down menu footer, it seems not that necessary to show the lock if we could only display it while typing(same timing for showing the warning footer). For engineering POV, it's unlikely that we'll move the form identification process to page loading time at current stage, so please be aware that it might not work as you expect if you still want this feature.
Whiteboard: [form autofill:M3] → [form autofill]
What I'd love to test is the very generic "Firefox has detected an insecure form. Details can be intercepted." which would work for credit cards and passwords.
https://ryanfeeley.github.io/password-dropdown/index.html?v=trial-b
Flags: needinfo?(rfeeley)
Keywords: sec-want

Firefox 102 does show crossed lock icon in address bar and temporarily disable Form Autofill for HTTP connections.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.