Closed Bug 476797 Opened 15 years ago Closed 15 years ago

Warn user when submitting non-encrypted form that contains <input type="password">

Categories

(Firefox :: General, enhancement)

Product:
Firefox
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 261294

People

(Reporter: mark, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Ubuntu/8.10 (intrepid) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Ubuntu/8.10 (intrepid) Firefox/3.0.5

I'm proposing a new Security Warning be added that warns the user if they submit a POST request to a non-SSL server and the form that makes up the POST request contains an input field with type="password."

Firefox currently has a warning when "I submit information that's not encrypted," but it is of limited usefulness because it's disabled by default and is burdensome when it is enabled because of the large number of false positives.

The proposed warning would hopefully have far fewer false positives and could be enabled by default.

Reproducible: Always
This is similar to bug 46590.
I'd love to see this done, however note that it is no kind of panacea. Particularly, if an attacker has forced an SSL connection to be cleartext, it is also trivial for him to modify the form to use a regular INPUT element, and implement the masking using Javascript.

No warning would be produced in this case, yet to the user the password control would still appear visually the same.

I still think this is great low hanging fruit anyway.
Dupe of bug 261294.
I totally agree.  Thank you, Andreas.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.