Open Bug 333521 Opened 20 years ago Updated 9 months ago

Add warning to HTTP Basic auth prompt for non-HTTPS connections

Categories

(Firefox :: Security, enhancement, P2)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Type:
enhancement

Tracking

()

People

(Reporter: mozilla, Assigned: descalante, Mentored)

References

(Blocks 2 open bugs)

Details

(Keywords: sec-want)

Attachments

(5 files, 1 obsolete file)

http_firefox.png
21.20 KB, image/png
Details
http_chrome.png
15.10 KB, image/png
Details
paypal-2-700x304-1.jpg
24.36 KB, image/jpeg
Details
Bug 333521 - Added warning to HTTP Basic auth prompt for non-HTTPS connections. r?manuel
48 bytes, text/x-phabricator-request
Details | Review
dialog screenshot with the patch
44.72 KB, image/png
Details
Daniel Schierbeck: *Relatively safe authentication methods* .============================================. | Authenticate | |============================================| | @@@ Enter username and password for Test | | @@@ at example.com | | | | Username: [________________________] | | Password: [________________________] | | [x] Remember ... | | | | [ Authenticate ] [ Cancel ] | '--------------------------------------------' *Unsafe authentication methods (HTTP Basic)* .============================================. | Authenticate | |============================================| | @@@ Enter username and password for Test | | @@@ at example.com | | | | Username: [________________________] | | Password: [________________________] | | [x] Remember ... | |--------------------------------------------| | /\ *Warning*: your username and password | | will be sent in an insecure manner! | |--------------------------------------------| | [ Authenticate ] [ Cancel ] | '--------------------------------------------' The bar in the middle could have another color, to emphasize its importance. The dialog icon (the @'s) should be something like a set of keys, and not just a question mark.
this is somehow connected to bug 244273 that probably should be added as a dependancy to 333520
Summary: Add warning to HTTP Basic auth prompt → Add warning to HTTP Basic auth prompt for non-HTTPS connections
Blocks: 411085
Blocks: 1217142

Showing a lock with / through it for all insecure non-local-ip http auth pages (similar to in-page password warning prompts) would be pretty easy, by updating the condition at: https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/src/Prompter.jsm#1133-1135 .

Showing extra text could be done in the condition that uses this property at https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/content/commonDialog.js#72-74 .

Johann, whose agreement do we need to get a warning text added here?

Flags: needinfo?(jhofmann)
Attached image http_firefox.png
Attached image http_chrome.png

I would like to get warnings. The popup dialog has no warning, whereas a larger html http page with a login inside it will show a clear warning.

Type: defect → enhancement
Keywords: sec-want
See Also: → 405120

Huh, we didn't have this already? Well, then, I think it's a good idea, you seem to think it's a good idea, so that should be enough to from a module ownership perspective to make it happen.

Not a high priority on my list unfortunately but maybe this can be put as a nice small self-contained project to pick up from our backlog.

cc Paul :)

Flags: needinfo?(mail)

If this gets fixed, then Firefox will help protect people from http phishing attacks and network traffic scraping.

Attached image paypal-2-700x304-1.jpg

Here is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/

(In reply to William Smith from comment #11)

Created attachment 9256510 [details]
paypal-2-700x304-1.jpg

Here is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/

What prevents the phishing site from using HTTPS to get rid of the warning? I think we're more concerned about MITM here.

Nothing prevents them from setting up https. But with Firefox (and Edge as well) not giving any warnings, they don't need to bother with setting up https. It looks exactly the same - no warning.

Severity: normal → S3

Hi! A friend @edwyn.zhou and I wanted to pick up this project, we are part of the UTOSS Firefox project team at UofT. We wanted to know if you are set on the string or if you prefer the lock?

Flags: needinfo?(edwyn.zhou)

(In reply to Diego Ciudad Real from comment #14)

Hi! A friend @edwyn.zhou and I wanted to pick up this project, we are part of the UTOSS Firefox project team at UofT. We wanted to know if you are set on the string or if you prefer the lock?

Would we be able to take a look at this?

Flags: needinfo?(edwyn.zhou) → needinfo?(manuel)

Hi, sure. I'd greatly appreciate if you can take a look here and try to resolve. I don't have time right now to work on this myself, but think this is really valuable to fix. If you need help, feel free to reach out on Matrix #anti-tracking:mozilla.org and ping me (@mbucher:mozilla.com).

It is currently impossible to set two assignees on bugzilla: Bug 1501114. Feel free to collaborate and write the patch however you like. If you both work on a patch (and it turns out to be a single one) you can use the Co-Authored-By:-syntax

Assignee: nobody → diegociudadreale
Mentor: manuel, harshit.sohaney
Flags: needinfo?(manuel)

I think this is a P2, as I think we really want to fix this bug. The current design lacks valuable information. However, don't feel pressurized by this decision. This bug has been open for a long time and it is fine if it takes some time to resolve.

Priority: -- → P2

(In reply to Manuel Bucher [:manuel] from comment #16)

Hi, sure. I'd greatly appreciate if you can take a look here and try to resolve. I don't have time right now to work on this myself, but think this is really valuable to fix. If you need help, feel free to reach out on Matrix #anti-tracking:mozilla.org and ping me (@mbucher:mozilla.com).

It is currently impossible to set two assignees on bugzilla: Bug 1501114. Feel free to collaborate and write the patch however you like. If you both work on a patch (and it turns out to be a single one) you can use the Co-Authored-By:-syntax

Sounds good, thank you so much!

See Also: → 1767292

Hey meridel, wanted to loop you into this for a UX perspective. I've attached a screenshot of what the dialog looks like with the patch that Diego and Edwyn put up. Let us know what your thoughts are!

Flags: needinfo?(mwalkington)

Hi Harshit, it looks like you might need both UX Design and Content Design review here. To help get us up to speed and get this into our triage process, can I ask you to submit a ticket here? Thank you!

https://mozilla-hub.atlassian.net/jira/secure/CreateIssueDetails!init.jspa?pid=10357&issuetype=10059&priority=10000&description=%2AUX%20Need%2A%0ABrief%20description%E2%80%A6%0A%F0%9F%94%97Link%20to%20product%20file%0A%0A%2AUser%20story%2A%0AAs%20a%20user%2C%20I%20want%20to%20%E2%80%A6%20%20so%20that%20%E2%80%A6%0A

Flags: needinfo?(mwalkington)

attached to wrong bug

See Also: https://mozilla-hub.atlassian.net/browse/UXREQ-370
Attachment #9441719 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: