Closed Bug 840027 Opened 7 years ago Closed 2 years ago
When secure autocomplete fails, ask to the user if he wants to go to the unsecure version
With inline autocomplete we are in a situation where we can't tell off-hand if the root of a website may accept secure connections, when some of the subpages do. Thus, when completing to the root we take the safest path, that is to complete to secure. This is cause doing the opposite may expose the user to security threats. Unfortunately on some fancy web configurations the secure and unsecure pages are not properly splitted on separate subdomains, and we end up proposing error pages to the final user. We can likely detect when a page is loaded through inline autocomplete suggestion and it gives an error. Though, we can't automatically switch the user to the unsecure version, cause we may be seeing the classic man-in-the-middle attack. What we can do is: if a root was inline autocompleted, show in the ssl error page the possibility to switch future autocomplete to the unsecure version (And visit that version immediately), with a really clear disclaimer that it should be done only on trusted networks. Please, avoid replying in this bug ticket unless you have meaningful information on how to approach the bug in the current code or you have meaningful security insights on the matter.
Summary: When secure autocomplete failes, ask to the user if he wants to go to the unsecure version → When secure autocomplete fails, ask to the user if he wants to go to the unsecure version
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.