Closed Bug 909079 Opened 11 years ago Closed 11 years ago

User is not warned when submitting a password over insecure HTTP.

Categories

(Firefox :: Security, defect)

23 Branch
x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 261294

People

(Reporter: arthur, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)

Steps to reproduce:

Visit the example at http://arthuredelstein.github.io/insecure_password_example/
(Note HTTPS is not being used.)

1. Enter a fake username and password, choose HTTP Method "GET" and then press "submit".

2. Enter a fake username and password, choose HTTP Method "POST" and press submit.


Actual results:

1. The password is included in plaintext in the URL.

2. The password is included in plaintext in the HTTP POST request. The plaintext password can be observed using HttpFox other other network monitoring tool.


Expected results:

User should be warned:

> This website is not using encryption. Therefore you are about to send your password unencrypted over the internet. Your password is likely be recorded by third parties. Are you sure you wish to proceed? (YES/CANCEL).

If the user presses CANCEL, the form submission should be canceled.

Perhaps this warning should be included in any form submission, but submitting forms containing passwords in clear HTTP is probably the most dangerous case.
Component: Untriaged → Security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Thanks for finding the original bug!
You need to log in before you can comment on or make changes to this bug.