Open Bug 548925 Opened 15 years ago Updated 10 months ago

should have about:config booleans to disable basic/digest/ntlm/... authentication

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: quartz12h, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) Even if there is no time to do a UI for this, there should be about:config booleans to disable basic/digest/ntlm/... authentication independantly. This is while waiting for the other UI improvements, like the warnings and such (already files in bugzilla). The point is that I don't quite care about a dialog with a yellow warning or else. I want this basic digest DISABLED. Period. I would be ok with a simple property in about:config. Reproducible: Always
Why do you want to disable this?
You mean you don't know that basic authentication has no security whatsoever? That it is using a trivial and reversible base64 of the username password? Please, read on the topic. It is as important as denying ssl2, warning a POST is not encrypted, or warming you have leaving an unencrypted page, etc...
No need to be snippy, I was just asking to understand your use-case because you didn't say what the problem was. If you don't want to use HTTP auth, why is clicking cancel not sufficient?
As far as the user can tell, there is no difference between NTLM authentication and basic. It is the same plain dialog. He risk submitting his credential over basic without knowing. I need (and would agree to use NTLM and digest authentication). But I cannot tell if the dialog is one of those rather than for basic. A user cannot tell apart when he is using NTLM or digest versus basic. This is already in a UI enhancement, but the point here is to have the browser be capable of protecting the users from themselves in case they don't pay attention to the 'eventual' distinct look and feel of unsecure authentication. As I said, this is a similar protection as setting the boolean property to false for various ssl v2, and buch of cipher suites. I don't see a big effort here. The boolean is not allowing basic? go straight to whatever the cancel button does, without resorting to the dialog. If possible (I mean if quickly feasible), set the dialog title to label the type of authentication (ntlm, digest, basic, etc. if any other). This would already help a lot. Could actually be enough because at least we would know.
To be complete, these properties have to distinguish also the plain http from the https. In corporate intranets, it is relatively safe to accept basic or digest or else if they are over httpS (ssl/tls). So a firefox user should automatically have: _somesuitableprefix_.authentication.allow.basic.http=false _somesuitableprefix_.authentication.allow.basic.https=true inspired from http://en.wikipedia.org/wiki/Digest_access_authentication _somesuitableprefix_.authentication.allow.digest.unsalted.http=false _somesuitableprefix_.authentication.allow.digest.unsalted.https=true _somesuitableprefix_.authentication.allow.digest.salted.http=true _somesuitableprefix_.authentication.allow.digest.salted.https=true _somesuitableprefix_.authentication.allow.ntlm.http=true _somesuitableprefix_.authentication.allow.ntlm.https=true
Severity: normal → S3

Hello everyone,
we also need a way to disable basic authentication in Firefox prevent our users accidentally publishing their passwords via unprotected connections.
Is there still an implementation planned here?

Regards,
Wolfgang

You need to log in before you can comment on or make changes to this bug.