Closed
Bug 909079
Opened 11 years ago
Closed 11 years ago
User is not warned when submitting a password over insecure HTTP.
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 261294
People
(Reporter: arthur, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Steps to reproduce: Visit the example at http://arthuredelstein.github.io/insecure_password_example/ (Note HTTPS is not being used.) 1. Enter a fake username and password, choose HTTP Method "GET" and then press "submit". 2. Enter a fake username and password, choose HTTP Method "POST" and press submit. Actual results: 1. The password is included in plaintext in the URL. 2. The password is included in plaintext in the HTTP POST request. The plaintext password can be observed using HttpFox other other network monitoring tool. Expected results: User should be warned: > This website is not using encryption. Therefore you are about to send your password unencrypted over the internet. Your password is likely be recorded by third parties. Are you sure you wish to proceed? (YES/CANCEL). If the user presses CANCEL, the form submission should be canceled. Perhaps this warning should be included in any form submission, but submitting forms containing passwords in clear HTTP is probably the most dangerous case.
Reporter | ||
Updated•11 years ago
|
Component: Untriaged → Security
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•11 years ago
|
||
Thanks for finding the original bug!
You need to log in
before you can comment on or make changes to this bug.
Description
•