Password Request Warning on Firefox

Wednesday, February 3, 2016 @ 10:02 AM gHale

Mozilla is adding a warning icon to its Firefox browser when passwords end up requested over non-secure connections.

Starting with Firefox DevEdition 46, developers will learn about the privacy and security risk by displaying a lock with a red strikethrough when passwords end up requested on non-secure pages. The browser has been alerting developers on the issue via the Developer Tools Web Console since Firefox 26.

Chrome 48 Fixes 37 Vulnerabilities
Security Feature Added to Firefox
Firefox 43: 21 Security Issues Fixed
IE Ending Support for Older Versions

Websites should handle usernames and passwords with care and should request the latter only over secure connections, such as HTTPS, said Mozilla security engineer Tanvi Vyas in a blog post. However, since non-secure connections such as HTTP often end up used to handle passwords, Firefox Developer Edition is now warning developers on the issue.

Firefox examines the page a password field is in to determine whether it is secure or not, Vyas said. The page then ends up checked against the algorithm in the W3C’s Secure Contexts Specification to determine whether it is secure or not and warns developers if it is non-secure, as such pages could fall victim to a Man-In-The-Middle (MiTM) attacker.

The MiTM attacker can extract the password entered onto the non-secure page by modifying the form action to the password ends up submitted to an attacker-controlled server or by using JavaScript to grab the contents of the password field before submission. Moreover, attackers could use JavaScript to log the user’s keystrokes and grab the password, without the user realizing they suffered a compromise.

Vyas also said these techniques render transmitting over HTTPS useless when it comes to preventing eavesdropping or active MITM attacks, because the HTTP page is non-secure. Even on websites that do not store sensitive information, users’ security is at risk because people reuse passwords over multiple sites.

The lock with a red strikethrough warning will display on pages where password fields remain hidden until user interaction. Developers looking to remove the warning icon can do so by put their login forms on HTTPS pages or by migrating the entire website to HTTPS, Mozilla said.