Closed Bug 1420398 Opened 7 years ago Closed 7 years ago

Web pages can bypass insecure field warning for passwords over HTTP using custom fonts

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1413344

People

(Reporter: riley, Unassigned)

Details

Attachments

(1 file)

ff_poc.tar.gz
2.95 KB, application/gzip
Details
Attached file ff_poc.tar.gz 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171112125346

Steps to reproduce:

1. Download ff_poc.tar.gz and extract it into a web server directory.
2. Using HTTP, access the page ff_poc/bypass.html
3. Start typing into the field.


Actual results:

You will not see the insecure field warning pop up, and the padlock in the address bar does not have a red line though it.

This could mislead users into submitting their password using the form, because they do not see the warning which Firefox is meant to show when submitting passwords over an insecure connection, yet the field appears to be a password field.


Expected results:

The expected results can be seen by accessing ff_poc/expected.html and typing. There should be a padlock with a red line through it in the address bar, and when you are typing in the field, you should see the notification "This connection is not secure. Logins entered here could be compromised. Learn more". (Please note that this message may not appear on some local pages - for me, when I access the page using "localhost" or "127.0.0.1", the message does not appear, but when I access it using "127.0.0.18", it does.)

It is trivial to make a field look like a password field without using <input type="password"> by using a custom font, and if this problem is unfixed, webmasters who do not want to use HTTPS for whatever reason will do this to avoid complaints.

There are several potential ways that this could be fixed. At present, my thought is that if a form which uses untrusted fonts to display user input is submitted over HTTP, the warning should still be displayed. Another solution would be to make fields with <input type="password"> look different to other fields in a way that is impossible to replicate, though I'm not sure how simple this is.
This is already well-known (publicized on twitter and elsewhere, cf. https://twitter.com/troyhunt/status/925462678516019200 ) and was filed as bug 1413344. We are working on other ways of deprecating HTTP, but we don't intend to play the cat and mouse game with web authors for this particular warning - it's not worth playing. See bug 1413344 comment 5 and bug 1413344 comment 2, especially.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: