287092 - Detect insecure fill-in/submission of CC numbers

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, enhancement)

Description

[Gervase Markham [:gerv]]

We should warn the user, either using a yellow info bar or a local popup, when
they type a number into an insecure form which passes a CC number validity check
(see URL and other resources on the web). 

Rationale: this is another bit of anti-phishing bar-raising, and user protection.

If we check submitted values, it's possible that a page author may use
JavaScript to scramble the values before submission. So we may want to run the
checking code onblur, and warn the user at that point.

Some sites use four separate boxes for the CC number; I'm not sure what we can
do about that. Still, if the original site used a single box and the phishing
site used four, that's another potential bit of difference a user might notice.

Gerv

Comment 1

[Boris Zbarsky [:bzbarsky]]

Is this something you want as part of _Gecko_, or as part of the app?  The app
can already register as a form submit observer if it wishes....  And certainly
Gecko is not going to be running random onblur handlers on everything in sight.

Comment 2

[Gervase Markham [:gerv]]

Actually, even typing your numbers into a dodgy site could be enough to have
them captured. You don't need a form submission. The site could send each
character to the server as it's typed using XMLHttpRequest. There's not much we
can do about this.

IMO, a better approach is for the browser to have a heuristic-based phishing
detector, and if it's suspicious of a site, disable all form controls until the
user has followed the procedure to dismiss the yellow bar and enable them. There
are other bugs about this topic.

Gerv

Comment 3

[Boris Zbarsky [:bzbarsky]]

OK. So should I just go ahead and wontfix this bug then?  Doesn't sound like we
plan to add anything like this to Gecko...

Comment 4

[Gervase Markham [:gerv]]

Yeah. This is the wrong approach.

Gerv