Open Bug 333521 Opened 19 years ago Updated 2 years ago

Add warning to HTTP Basic auth prompt for non-HTTPS connections

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Type:
enhancement

Tracking

()

People

(Reporter: mozilla, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: sec-want)

Attachments

(3 files)

http_firefox.png
(deleted), image/png
Details
http_chrome.png
(deleted), image/png
Details
paypal-2-700x304-1.jpg
(deleted), image/jpeg
Details
Daniel Schierbeck: *Relatively safe authentication methods* .============================================. | Authenticate | |============================================| | @@@ Enter username and password for Test | | @@@ at example.com | | | | Username: [________________________] | | Password: [________________________] | | [x] Remember ... | | | | [ Authenticate ] [ Cancel ] | '--------------------------------------------' *Unsafe authentication methods (HTTP Basic)* .============================================. | Authenticate | |============================================| | @@@ Enter username and password for Test | | @@@ at example.com | | | | Username: [________________________] | | Password: [________________________] | | [x] Remember ... | |--------------------------------------------| | /\ *Warning*: your username and password | | will be sent in an insecure manner! | |--------------------------------------------| | [ Authenticate ] [ Cancel ] | '--------------------------------------------' The bar in the middle could have another color, to emphasize its importance. The dialog icon (the @'s) should be something like a set of keys, and not just a question mark.
this is somehow connected to bug 244273 that probably should be added as a dependancy to 333520
Summary: Add warning to HTTP Basic auth prompt → Add warning to HTTP Basic auth prompt for non-HTTPS connections
Blocks: 411085
Blocks: 1217142

Showing a lock with / through it for all insecure non-local-ip http auth pages (similar to in-page password warning prompts) would be pretty easy, by updating the condition at: https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/src/Prompter.jsm#1133-1135 .

Showing extra text could be done in the condition that uses this property at https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/content/commonDialog.js#72-74 .

Johann, whose agreement do we need to get a warning text added here?

Flags: needinfo?(jhofmann)
Attached image http_firefox.png (deleted) —
Attached image http_chrome.png (deleted) —

I would like to get warnings. The popup dialog has no warning, whereas a larger html http page with a login inside it will show a clear warning.

Type: defect → enhancement
Keywords: sec-want
See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=405120

Huh, we didn't have this already? Well, then, I think it's a good idea, you seem to think it's a good idea, so that should be enough to from a module ownership perspective to make it happen.

Not a high priority on my list unfortunately but maybe this can be put as a nice small self-contained project to pick up from our backlog.

cc Paul :)

Flags: needinfo?(mail)

If this gets fixed, then Firefox will help protect people from http phishing attacks and network traffic scraping.

Attached image paypal-2-700x304-1.jpg (deleted) —

Here is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/

(In reply to William Smith from comment #11)

Created attachment 9256510 [details]
paypal-2-700x304-1.jpg

Here is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/

What prevents the phishing site from using HTTPS to get rid of the warning? I think we're more concerned about MITM here.

Nothing prevents them from setting up https. But with Firefox (and Edge as well) not giving any warnings, they don't need to bother with setting up https. It looks exactly the same - no warning.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: