Open
Bug 405120
Opened 17 years ago
Updated 2 years ago
security.warn_submit_insecure warning not used for HTTP basic access authentication
Categories
(Firefox :: Security, enhancement)
Firefox
Security
Tracking
()
NEW
People
(Reporter: gonhidi, Unassigned)
References
Details
Attachments
(1 file)
7.79 KB,
image/gif
|
Details |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
When a webpage requests a username and a password using HTTP basic access authentication, the security.warn_submit_insecure parameter is ignored and the credentials are sent without a warning regardless of whether HTTP or HTTPS is being used.
Reproducible: Always
Comment 1•17 years ago
|
||
That parameter is for form-submits, not for authentication.
Reporter | ||
Comment 2•17 years ago
|
||
Oh. I had interpreted it be for any kind of user submission (HTTP basic access authentication being a particular kind). Doesn't it make sense to extend the meaning in such a way?
Appears when a site is using https and info being transmitted (in this case, a login) is not encrypted.
Comment 4•16 years ago
|
||
This happens every time you fill out a form on an https site that passes the information to an http site. It happens in Windows as well. To test this, look up a book on the Amherst College library home page: https://www.amherst.edu/library/
I would LOVE to find a way to turn this off, but there doesn't seem to be a switch for it as there is for other warning dialogs.
The discussion on this warning tends to go round and round on discussion boards:
http://forums.mozillazine.org/viewtopic.php?t=624223&
http://forums.mozillazine.org/viewtopic.php?f=7&t=625559
Comment 5•16 years ago
|
||
For searching purposes, the full text of the dialog box is:
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
Continue | Cancel
This is a VERY annoying bug in Firefox. Please fix this ASAP.
This happens regardless of any changes the user makes.
Comment 7•16 years ago
|
||
comment 3 through comment 6 have missed the point of this bug entirely: Gonzalo wants _more_ warnings, not fewer. Specifically, if a web site uses HTTP Authentication (which is a separate dialog box that pops up from the browser, not a form in a page) he wants to be warned when it's an insecure channel.
The dialog reads
Authentication Required
A username and password are being requested by
http://www.example.com
Whether the credentials will be secure or not are indicated by whether the dialog has https or plain http. I don't think we want a second warning dialog (ick!) but it would be nice to be able to see identity information on that dialog before you submitted (is the cert EV as expected?).
^Understood, however, the issue that us on comments 2 - 6 talking about is very annoying. Should we submit a new bug?
Comment 9•16 years ago
|
||
no additional arguments needed, just supply a patch for bug 436200
Comment 10•16 years ago
|
||
I hope Gonzalo doesn't mind me changing the summary -- as initially specified this bug would be WONTFIX since that pref has nothing to do with non-form submits.
The Http Auth dialogs need to show identity information for secure sites (or allow access to that information), and need to make visible when sites are not using a secure path. Technically some of that information is visible in the scheme since we wouldn't get an auth dialog from a site with an invalid SSL cert, but it's not very obvious.
Could there be a Larry icon on that dialog? Grey for HTTP, maybe with a slash or question mark overlay for color-blind users, Blue for https and Green for EV?
A "view certificate" button?
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Hardware: PowerPC → All
Summary: security.warn_submit_insecure warning not used for HTTP basic access authentication → HTTP authentication dialogs need to show identity (security/not-secure) information
Whiteboard: morphed at comment 10
Comment 11•15 years ago
|
||
Unmorphing. I think the original bug makes sense, and at least deserves its own well-reasoned WONTFIX. *Why* is the pref only about HTML form submission?
I'll make sure bug 399583 covers the problem of the http auth dialog not displaying site-identity information well.
Summary: HTTP authentication dialogs need to show identity (security/not-secure) information → security.warn_submit_insecure warning not used for HTTP basic access authentication
Whiteboard: morphed at comment 10
Comment 12•15 years ago
|
||
A quick note on this whole debate: it appears that this prompt still cannot be disabled by even a setting in about:config. I know there are some here that think there should be no reason to ever disable this warning, and perhaps they are right for normal human users.
However, the work I do is with browser automation (see http://seleniumhq.org and http://browsermob.com) and this issue is a real pain in the butt. I strongly urge the powers that be to add an option to suppress ALL modal dialog boxes, if only for the sake of testing and automation purposes.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•