Add warning to HTTP Basic auth prompt for non-HTTPS connections
Categories
(Firefox :: Security, enhancement)
Tracking
()
People
(Reporter: mozilla, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: sec-want)
Attachments
(3 files)
Comment 1•17 years ago
|
||
Updated•11 years ago
|
Comment 5•3 years ago
|
||
Showing a lock with /
through it for all insecure non-local-ip http auth pages (similar to in-page password warning prompts) would be pretty easy, by updating the condition at: https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/src/Prompter.jsm#1133-1135 .
Showing extra text could be done in the condition that uses this property at https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/toolkit/components/prompts/content/commonDialog.js#72-74 .
Johann, whose agreement do we need to get a warning text added here?
Comment 6•3 years ago
|
||
Comment 7•3 years ago
|
||
Comment 8•3 years ago
|
||
I would like to get warnings. The popup dialog has no warning, whereas a larger html http page with a login inside it will show a clear warning.
Comment 9•3 years ago
|
||
Huh, we didn't have this already? Well, then, I think it's a good idea, you seem to think it's a good idea, so that should be enough to from a module ownership perspective to make it happen.
Not a high priority on my list unfortunately but maybe this can be put as a nice small self-contained project to pick up from our backlog.
cc Paul :)
Comment 10•3 years ago
|
||
If this gets fixed, then Firefox will help protect people from http phishing attacks and network traffic scraping.
Comment 11•3 years ago
|
||
Here is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/
Comment 12•3 years ago
|
||
(In reply to William Smith from comment #11)
Created attachment 9256510 [details]
paypal-2-700x304-1.jpgHere is an example of a phishing website that uses only http, where this kind of warning could save a lot of Firefox customers a lot of trouble. Example was taken from:
https://www.metacompliance.com/blog/what-are-paypal-phishing-scams-and-how-to-spot-them/
What prevents the phishing site from using HTTPS to get rid of the warning? I think we're more concerned about MITM here.
Comment 13•3 years ago
|
||
Nothing prevents them from setting up https. But with Firefox (and Edge as well) not giving any warnings, they don't need to bother with setting up https. It looks exactly the same - no warning.
Updated•2 years ago
|
Description
•