before sending a user's username and password in the clear, mozilla should really warn the user. this applies, for example, to FTP auth and HTTP basic auth. it seems really bad that we don't alert users to the potential risk associated with sending their username and password out over the internet in the clear. perhaps this is more significant now, given that HTTP and FTP upload (used by editor's new publish feature) generally require a password.

Sure toss an alert or something. Be sure that the dialog can be "remembered" so that it isn't shown all of the time and that the text is verbose enough to indicate that the problem is NOT with the client. Are we too late for this - UI is frozen, right?

too late for mozilla 1.0 probably. but we should be free to make UI changes after 1.0. as for the impl of this, i almost think it'd be nice to include the warning on the auth prompt. it could be as simple as some bold text added to the existing dialog, which would mean adding a flag to the nsIAuthPrompt methods.

how about just appending your warning to the |text| of the dialog?

hmm... in a pinch, sure. but, i'd rather allow the UI team to come up with something more overt if they wanted to.

mass futuring of untargeted bugs

-> Security. They can decide what to do about this. Proxy-auth uses HTTP auth, so it suffers from the same problem.

See also bug 115500 and bug 204992.

<quote> before sending a user's username and password in the clear, mozilla should really warn the user. this applies, for example, to FTP auth and HTTP basic auth. it seems really bad that we don't alert users to the potential risk associated with sending their username and password out over the internet in the clear. </quote> Could there be an exception to this. I mean, is it not possible to send username and password without user intervention if the request is coming from LAN. Please see my post http://forums.mozillazine.org/viewtopic.php?t=41623 for more verbose explanation for the reasons.