Add warning to HTTP Basic auth prompt for non-HTTPS connections
Categories
(Firefox :: Security, enhancement)
Tracking
()
People
(Reporter: mozilla, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: sec-want)
Attachments
(3 files)
Daniel Schierbeck: *Relatively safe authentication methods* .============================================. | Authenticate | |============================================| | @@@ Enter username and password for Test | | @@@ at example.com | | | | Username: [________________________] | | Password: [________________________] | | [x] Remember ... | | | | [ Authenticate ] [ Cancel ] | '--------------------------------------------' *Unsafe authentication methods (HTTP Basic)* .============================================. | Authenticate | |============================================| | @@@ Enter username and password for Test | | @@@ at example.com | | | | Username: [________________________] | | Password: [________________________] | | [x] Remember ... | |--------------------------------------------| | /\ *Warning*: your username and password | | will be sent in an insecure manner! | |--------------------------------------------| | [ Authenticate ] [ Cancel ] | '--------------------------------------------' The bar in the middle could have another color, to emphasize its importance. The dialog icon (the @'s) should be something like a set of keys, and not just a question mark.
Comment 1•17 years ago
|
||
this is somehow connected to bug 244273 that probably should be added as a dependancy to 333520
Updated•11 years ago
|
Comment 5•3 years ago
|
||
Showing a lock with /
through it for all insecure non-local-ip http auth pages (similar to in-page password warning prompts) would be pretty easy, by updating the condition at: https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/src/Prompter.jsm#1133-1135 .
Showing extra text could be done in the condition that uses this property at https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/content/commonDialog.js#72-74 .
Johann, whose agreement do we need to get a warning text added here?
Comment 6•3 years ago
|
||
Comment 7•3 years ago
|
||
Comment 8•3 years ago
|
||
I would like to get warnings. The popup dialog has no warning, whereas a larger html http page with a login inside it will show a clear warning.
Updated•3 years ago
|
Comment 9•3 years ago
|
||
Huh, we didn't have this already? Well, then, I think it's a good idea, you seem to think it's a good idea, so that should be enough to from a module ownership perspective to make it happen.
Not a high priority on my list unfortunately but maybe this can be put as a nice small self-contained project to pick up from our backlog.
cc Paul :)
Comment 10•2 years ago
|
||
If this gets fixed, then Firefox will help protect people from http phishing attacks and network traffic scraping.
Comment 11•2 years ago
|
||
Here is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/
Comment 12•2 years ago
|
||
(In reply to William Smith from comment #11)
Created attachment 9256510 [details]
paypal-2-700x304-1.jpgHere is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/
What prevents the phishing site from using HTTPS to get rid of the warning? I think we're more concerned about MITM here.
Comment 13•2 years ago
|
||
Nothing prevents them from setting up https. But with Firefox (and Edge as well) not giving any warnings, they don't need to bother with setting up https. It looks exactly the same - no warning.
Updated•2 years ago
|
Description
•