Closed
Bug 476797
Opened 15 years ago
Closed 15 years ago
Warn user when submitting non-encrypted form that contains <input type="password">
Categories
(Firefox :: General, enhancement)
Firefox
General
Tracking
()
RESOLVED
DUPLICATE
of bug 261294
People
(Reporter: mark, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Ubuntu/8.10 (intrepid) Firefox/3.0.5 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Ubuntu/8.10 (intrepid) Firefox/3.0.5 I'm proposing a new Security Warning be added that warns the user if they submit a POST request to a non-SSL server and the form that makes up the POST request contains an input field with type="password." Firefox currently has a warning when "I submit information that's not encrypted," but it is of limited usefulness because it's disabled by default and is burdensome when it is enabled because of the large number of false positives. The proposed warning would hopefully have far fewer false positives and could be enabled by default. Reproducible: Always
I'd love to see this done, however note that it is no kind of panacea. Particularly, if an attacker has forced an SSL connection to be cleartext, it is also trivial for him to modify the form to use a regular INPUT element, and implement the masking using Javascript. No warning would be produced in this case, yet to the user the password control would still appear visually the same. I still think this is great low hanging fruit anyway.
Comment 3•15 years ago
|
||
Dupe of bug 261294.
Reporter | ||
Comment 4•15 years ago
|
||
I totally agree. Thank you, Andreas.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•