840027 - When secure autocomplete fails, ask to the user if he wants to go to the unsecure version

Status: RESOLVED INACTIVE

(Firefox :: Address Bar, defect)

Description

[Marco Bonardo [:mak] (Away Apr 25 - May 5)]

With inline autocomplete we are in a situation where we can't tell off-hand if the root of a website may accept secure connections, when some of the subpages do.
Thus, when completing to the root we take the safest path, that is to complete to secure. This is cause doing the opposite may expose the user to security threats.  Unfortunately on some fancy web configurations the secure and unsecure pages are not properly splitted on separate subdomains, and we end up proposing error pages to the final user.

We can likely detect when a page is loaded through inline autocomplete suggestion  and it gives an error. Though, we can't automatically switch the user to the unsecure version, cause we may be seeing the classic man-in-the-middle attack.
What we can do is: if a root was inline autocompleted, show in the ssl error page the possibility to switch future autocomplete to the unsecure version (And visit that version immediately), with a really clear disclaimer that it should be done only on trusted networks.

Please, avoid replying in this bug ticket unless you have meaningful information on how to approach the bug in the current code or you have meaningful security insights on the matter.

Comment 1

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.