User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.6) Gecko/20091216 Iceweasel/3.5.6 (like Firefox/3.5.6; Debian-3.5.6-1) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.6) Gecko/20091216 Iceweasel/3.5.6 (like Firefox/3.5.6; Debian-3.5.6-1) Currently, when sending a password from a form or from an HTTP Authentication request, for instance to authenticate to a website: 1. if the target is not secure, no warning is displayed; 2. if the target is secured with a certificate signed by an unknown authority, a warning is displayed; 3. if the target is secured with a certificate that does not match, a warning is displayed; 4. if the target is secured with a certificate signed by a known authority, no warning is displayed. These situations can be ordered as follow, in increasing security risk order: 4, 2, 1, 3. Indeed: – the situation 4 is the perfect one; – an unknown certificate is always better than transmitting in cleartext: both do not garantee that their is no other listener than the end server, but the unknown certificates at least avoids wiretapping and in-process man-in-the-middle introduction; – the situation 3 is the worst one, with a solid indication of an actual fraud. So, I think that it is not normal that no warning is displayed when a form tries to send a password to an insecure target. It encourages some providers to build insecure authentication systems rather than using certificates, even self-signed, that would provide a greater security level. Regards, -- Tanguy Ortolo Reproducible: Always Steps to Reproduce: 1. Go to Wikipédia. 2. Go to the logon page. 3. Log in. Actual Results: Your have sent your password in clear, visible to an wiretapper or man in the middle, without having been warned in any way of the risk. Expected Results: A security warning, explaining that a password will be transmitted in clear, so that a wiretapper, or anyone in the case of a public wireless netword, will be able to read it. Maybe also stating that, if this password is also used for other services, it could allow strangers to get access to other data than the current website. Such a warning should not be deactivable globally, but may be deactivable for a given site.