Open Bug 405120 Opened 17 years ago Updated 2 years ago

security.warn_submit_insecure warning not used for HTTP basic access authentication

Categories

(Firefox :: Security, enhancement)

enhancement

Tracking

()

People

(Reporter: gonhidi, Unassigned)

References

Details

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 When a webpage requests a username and a password using HTTP basic access authentication, the security.warn_submit_insecure parameter is ignored and the credentials are sent without a warning regardless of whether HTTP or HTTPS is being used. Reproducible: Always
That parameter is for form-submits, not for authentication.
Oh. I had interpreted it be for any kind of user submission (HTTP basic access authentication being a particular kind). Doesn't it make sense to extend the meaning in such a way?
Attached image Warning Message gif
Appears when a site is using https and info being transmitted (in this case, a login) is not encrypted.
This happens every time you fill out a form on an https site that passes the information to an http site. It happens in Windows as well. To test this, look up a book on the Amherst College library home page: https://www.amherst.edu/library/ I would LOVE to find a way to turn this off, but there doesn't seem to be a switch for it as there is for other warning dialogs. The discussion on this warning tends to go round and round on discussion boards: http://forums.mozillazine.org/viewtopic.php?t=624223& http://forums.mozillazine.org/viewtopic.php?f=7&t=625559
For searching purposes, the full text of the dialog box is: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information? Continue | Cancel
This is a VERY annoying bug in Firefox. Please fix this ASAP. This happens regardless of any changes the user makes.
comment 3 through comment 6 have missed the point of this bug entirely: Gonzalo wants _more_ warnings, not fewer. Specifically, if a web site uses HTTP Authentication (which is a separate dialog box that pops up from the browser, not a form in a page) he wants to be warned when it's an insecure channel. The dialog reads Authentication Required A username and password are being requested by http://www.example.com Whether the credentials will be secure or not are indicated by whether the dialog has https or plain http. I don't think we want a second warning dialog (ick!) but it would be nice to be able to see identity information on that dialog before you submitted (is the cert EV as expected?).
^Understood, however, the issue that us on comments 2 - 6 talking about is very annoying. Should we submit a new bug?
no additional arguments needed, just supply a patch for bug 436200
I hope Gonzalo doesn't mind me changing the summary -- as initially specified this bug would be WONTFIX since that pref has nothing to do with non-form submits. The Http Auth dialogs need to show identity information for secure sites (or allow access to that information), and need to make visible when sites are not using a secure path. Technically some of that information is visible in the scheme since we wouldn't get an auth dialog from a site with an invalid SSL cert, but it's not very obvious. Could there be a Larry icon on that dialog? Grey for HTTP, maybe with a slash or question mark overlay for color-blind users, Blue for https and Green for EV? A "view certificate" button?
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Hardware: PowerPC → All
Summary: security.warn_submit_insecure warning not used for HTTP basic access authentication → HTTP authentication dialogs need to show identity (security/not-secure) information
Whiteboard: morphed at comment 10
Unmorphing. I think the original bug makes sense, and at least deserves its own well-reasoned WONTFIX. *Why* is the pref only about HTML form submission? I'll make sure bug 399583 covers the problem of the http auth dialog not displaying site-identity information well.
Summary: HTTP authentication dialogs need to show identity (security/not-secure) information → security.warn_submit_insecure warning not used for HTTP basic access authentication
Whiteboard: morphed at comment 10
A quick note on this whole debate: it appears that this prompt still cannot be disabled by even a setting in about:config. I know there are some here that think there should be no reason to ever disable this warning, and perhaps they are right for normal human users. However, the work I do is with browser automation (see http://seleniumhq.org and http://browsermob.com) and this issue is a real pain in the butt. I strongly urge the powers that be to add an option to suppress ALL modal dialog boxes, if only for the sake of testing and automation purposes.
See Also: → 333521
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: