Open
Bug 136106
Opened 23 years ago
Updated 2 years ago
mozilla should warn users before transmitting username and password unencrypted
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
NEW
Future
People
(Reporter: darin.moz, Assigned: dveditz)
References
Details
before sending a user's username and password in the clear, mozilla should
really warn the user. this applies, for example, to FTP auth and HTTP basic
auth. it seems really bad that we don't alert users to the potential risk
associated with sending their username and password out over the internet in the
clear.
perhaps this is more significant now, given that HTTP and FTP upload (used by
editor's new publish feature) generally require a password.
Reporter | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0.1
Comment 1•23 years ago
|
||
Sure toss an alert or something. Be sure that the dialog can be "remembered" so
that it isn't shown all of the time and that the text is verbose enough to
indicate that the problem is NOT with the client.
Are we too late for this - UI is frozen, right?
Reporter | ||
Comment 2•23 years ago
|
||
too late for mozilla 1.0 probably. but we should be free to make UI changes
after 1.0.
as for the impl of this, i almost think it'd be nice to include the warning on
the auth prompt. it could be as simple as some bold text added to the existing
dialog, which would mean adding a flag to the nsIAuthPrompt methods.
Comment 3•23 years ago
|
||
how about just appending your warning to the |text| of the dialog?
Reporter | ||
Comment 4•23 years ago
|
||
hmm... in a pinch, sure. but, i'd rather allow the UI team to come up with
something more overt if they wanted to.
Reporter | ||
Updated•22 years ago
|
Target Milestone: mozilla1.0.1 → ---
-> Security. They can decide what to do about this.
Proxy-auth uses HTTP auth, so it suffers from the same problem.
Assignee: darin → mstoltz
Status: ASSIGNED → NEW
Component: Networking → Security: General
QA Contact: benc → bsharma
Comment 7•21 years ago
|
||
See also bug 115500 and bug 204992.
<quote>
before sending a user's username and password in the clear, mozilla should
really warn the user. this applies, for example, to FTP auth and HTTP basic
auth. it seems really bad that we don't alert users to the potential risk
associated with sending their username and password out over the internet
in the clear.
</quote>
Could there be an exception to this. I mean, is it not possible to
send username and password without user intervention if the request
is coming from LAN.
Please see my post http://forums.mozillazine.org/viewtopic.php?t=41623
for more verbose explanation for the reasons.
Assignee | ||
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•