204992 - HTTP authentication password dialog does not indicate whether SSL will be used

Status: VERIFIED DUPLICATE of bug 38019

(Core :: Security, enhancement)

Description

[mozillaOrg]

User-Agent:       Mozilla/3.01Gold (Macintosh; I; 68K)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823

If using a link or a bookmark to visit a page that is protected by HTTP
Authentication,
there is no indication whether SSL will be used. Specifically, the
URL one tries to load is not displayed (even the status bar at the bottom only
displays the FQDN, not the protocol, i.e. it displays 'connecting to www.foo.bar'
rather than 'connecting to http://www.foo.bar'). This implies that a password
can accidentially be send in cleartext.

Reproducible: Always

Steps to Reproduce:
1.visit a page that uses HTTP authentication 
2.bookmark it
3.quit browser, start again, visit page
4.try to determine - before the password is sent - whether SSL will be used ... 
Actual Results:  
The protocol (HTTP or HTTPS) could only be determined after the password
was sent and the page was loaded.

Expected Results:  
Display the protocol that will be used, preferentially well visible, e.g.
by an icon in the authentication dialog.

Comment 1

[Jo Hermans]

Related to bug 115500, but that want to warn about basic and digest
authentication. See also bug 136106, which want to warn the user before sending
a clear password.

I haven't found any dupes, and it's a pretty reasonable request, so I'm marking
this as New. Thers should be a relation between these 3 bugs, but I still have
to figure out which bug depend on which.

PS : your user-agent is a bit funny. Last time that I used Netscape 3 on a 68K
Mac was a /really/ long time ago :-)

Comment 2

[Matthias Versen [:Matti]]

*** This bug has been marked as a duplicate of 38019 ***

Comment 3

[Charles Rosendahl]

Verified