Chemical Safety Incidents
Password Request Warning on Firefox
Wednesday, February 3, 2016 @ 10:02 AM gHale
Mozilla is adding a warning icon to its Firefox browser when passwords end up requested over non-secure connections.
Starting with Firefox DevEdition 46, developers will learn about the privacy and security risk by displaying a lock with a red strikethrough when passwords end up requested on non-secure pages. The browser has been alerting developers on the issue via the Developer Tools Web Console since Firefox 26.
Websites should handle usernames and passwords with care and should request the latter only over secure connections, such as HTTPS, said Mozilla security engineer Tanvi Vyas in a blog post. However, since non-secure connections such as HTTP often end up used to handle passwords, Firefox Developer Edition is now warning developers on the issue.
Firefox examines the page a password field is in to determine whether it is secure or not, Vyas said. The page then ends up checked against the algorithm in the W3C’s Secure Contexts Specification to determine whether it is secure or not and warns developers if it is non-secure, as such pages could fall victim to a Man-In-The-Middle (MiTM) attacker.
Vyas also said these techniques render transmitting over HTTPS useless when it comes to preventing eavesdropping or active MITM attacks, because the HTTP page is non-secure. Even on websites that do not store sensitive information, users’ security is at risk because people reuse passwords over multiple sites.
The lock with a red strikethrough warning will display on pages where password fields remain hidden until user interaction. Developers looking to remove the warning icon can do so by put their login forms on HTTPS pages or by migrating the entire website to HTTPS, Mozilla said.