No More Passwords over HTTP, Please!

25

Update: This feature is now also enabled in Firefox Beta, starting with Firefox Beta 50.

Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP.

Username and password pairs control access to users’ personal data. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough.

Firefox Developer Edition 46+ shows a lock with a red strikethrough on non-secure pages that have a password field, while Firefox Release does include that additional iconography

How does Firefox determine if a password field is secure or not?

Firefox determines if a password field is secure by examining the page it is embedded in. The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker. The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:

      • Change the form action so the password submits to an attacker controlled server instead of the intended destination. Then seamlessly redirect to the intended destination, while sending along the stolen password.
      • Use javascript to grab the contents of the password field before submission and send it to the attacker’s server.
      • Use javascript to log the user’s keystrokes and send them to the attacker’s server.

Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.

Firefox has been alerting developers of this issue via the Developer Tools Web Console since Firefox 26.

Why isn’t submitting over HTTPS enough? Why does the page have to be HTTPS?

We get this question a lot, so I thought I would call it out specifically. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. As described above, active attackers can MITM an HTTP connection between the server and the user’s computer to change the contents of the webpage. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user’s username and password. The attacker then sends the updated HTML to the user. When the user enters their username and password, it will get sent to both the attacker and the site.

What if the credentials for my site really aren’t that sensitive?

Sometimes sites require username and passwords, but don’t actually store data that is very sensitive. For example, a news site may save which news articles a user wants to go back and read, but not save any other data about a user. Most users don’t consider this highly sensitive information. Web developers of the news site may be less motivated to secure their site and their user credentials. Unfortunately, password reuse is a big problem. Users use the same password across multiple sites (news sites, social networks, email providers, banks). Hence, even if access to the username and password to your site doesn’t seem like a huge risk to you, it is a great risk to users who have used the same username and password to login to their bank accounts. Attackers are getting smarter; they steal username/password pairs from one site, and then try reusing them on more lucrative sites.

How can I remove this warning from my site?

Put your login forms on HTTPS pages.

Of course, the most straightforward way to do this is to move your whole website to HTTPS. If you aren’t able to do this today, create a separate HTTPS page that is just used for logins. Whenever a user wants to login to your site, they will visit the HTTPS login page. If your login form submits to an HTTPS endpoint, parts of your domain may already be set up to use HTTPS.

In order to host content over HTTPS, you need a TLS Certificate from a Certificate Authority. Let’s Encrypt is a Certificate Authority that can issue you free certificates. You can reference these pages for some guidance on configuring your servers.

What can I do if I don’t control the webpage?

We know that users of Firefox Developer Edition don’t only use Developer Edition to work on their own websites. They also use it to browse the net. Developers who see this warning on a page they don’t control can still take a couple of actions. You can try to add “https://” to the beginning of the url in the address bar and see if you are able to login over a secure connection to help protect your data. You can also try and reach out to the website administrator and alert them of the privacy and security vulnerability on their site.

Do you have examples of real life attacks that occurred because of stolen passwords?

There are ample examples of password reuse leading to large scale compromise. There are fewer well-known examples of passwords being stolen by performing MITM attacks on login forms, but the basic techniques of javascript injection have been used at scale by Internet Service Providers and governments.

Why does my browser sometimes show this warning when I don’t see a password field on the page?

Sometimes password fields are in a hidden <div> on a page, that does not show up without user interaction. We have a bug open to detect when a password field is visible on the page.

Will this feature become available to Firefox Beta and Release Users?

Right now, the focus for this feature is on developers, since they’re the ones that ultimately need to fix the sites that are exposing users’ passwords. In general, though, since we are working on deprecating non-secure HTTP in the long run, you should expect to see more and more explicit indications of when things are not secure. For example, in all current versions of Firefox, the Developer Tools Network Monitor shows the lock with a red strikethrough for all non-secure HTTP connections.

How do I enable this warning in other versions of Firefox?

Users of Firefox version 44+ (on any branch) can enable or disable this feature by following these steps:

      1. Open a new window or tab in Firefox.
      2. Type about:config and press enter.
      3. You will get to a page that asks you to promise to be careful. Promise you will be.
      4. The value of the security.insecure_password.ui.enabled preference determines whether or not Firefox warns you about non-secure login pages. You can enable the feature and be warned about non-secure login pages by setting this value to true. You can disable the feature by setting the value to false.

Thank you!

A special thanks to Paolo Amadini and Aislinn Grigas for their implementation and user experience work on this feature!

Categories: Browser Security

25 responses {+}

  1. Simon wrote on :

    The one problem I have with HTTPS-everywhere is that it’s a pain in the neck to set up for internal systems like development environments. Servers certainly use SSL in production, but it’s too much hassle to ensure that it’s used for every short-lived system that I work on – servers that may only exist for hours…

    Reply

    1. Tim Bray wrote on :

      We used to think that.

      No we use letsencrypt certificates on all our demo and development systems.

      Reply

      1. Thomas Grainger wrote on :

        If you automate it once, it won’t be a pain

        Reply

  2. Bjarni R. Einarsson wrote on :

    Hello! This is a fantastic step forward.

    However, can we have an exception for localhost? Using the browser as a front-end for a local web server is an interesting way to develop very compelling apps (disclosure: I work on Mailpile, which is such an app), and it’s not a scenario where HTTPS makes sense (or is even available – you can’t get a cert for localhost).

    Sorry if this appears both here and on hacks, I posted the comment there but it disappeared without any feedback from the site to indicate it was accepted or queued for moderation, or what.

    Please also excuse me if localhost is already exempt – I am assuming it is not because the console does print warnings and the post implies the code path is shared/related.

    Thanks!

    Reply

    1. Tanvi Vyas wrote on :

      You shouldn’t see this warning for localhost. The code specifically checks for localhost and doesn’t warn in that case.

      Reply

  3. Bart wrote on :

    This is really nice for us developers.

    I can’t wait until this feature is also enabled by default in the normal release. This makes it much easier to explain the necessity of SSL ot other non technical persons.

    Reply

    1. Thomas Grainger wrote on :

      TLS

      Reply

  4. Jim wrote on :

    Did Mozilla remove or rename this feature? I just re-imaged my computer and installed Firefox and I do not see security.insecure_password.ui.

    Reply

    1. Tanvi Vyas wrote on :

      security.insecure_password.ui.enabled still appears for me in about:config. What version of Firefox are you using?

      Reply

  5. Dee wrote on :

    How this hell could be switched off for certain pages? I have to use http://username:password@page for intranet pages and I want to decide by myself, what is secure, not to be forced by communists by stupid restrictions.

    Reply

    1. bugzilla wrote on :

      Exactly! Stupid group think.

      You should concentrate on providing a cleaner, better and faster product instead of cluttering the screen with this nonsense. What you guys have to realise is not everybody needs or wants to work in your narrow world view.

      Reply

    2. bugzilla wrote on :

      It gets worse! Now Firefox 52.0a2 (2017-01-13) is saying (some) https servers are not secure – but only sometimes! – You couldn’t make this stuff up.

      Reply

  6. 2fe2fff wrote on :

    Just fixed using this font password https://github.com/Mottie/input-password-bullet

    I will be not buy extra server to Mozilla felt better, ssl are only used on my vebiste when login oraz register send by ajax.

    ps web developer tools is not a firebuq is not even chrome dev tools where is switched

    Reply

  7. peterpux wrote on :

    Warning now shows up every time I try to connect to my router, my repeater, my home management system, etc. though I am not going via the internet. Anything I can do to avoid that???

    Reply

  8. manuel wrote on :

    en español por favor……y varios idiomas

    Reply

  9. “> wrote on :

    “>

    Reply

  10. “> wrote on :

    “><img src=x onerror=prompt(1)

    Reply

  11. “>”>”> wrote on :

    “>”>”><img src=x onerror=prompt(1) "

    Reply

  12. “> wrote on :

    “><img src=x onerror=prompt(1) "

    Reply

  13. “>”> wrote on :

    “>

    Reply

  14. Hercules wrote on :

    My Name is Hercules, Can Someone should please try explain to me how to switch of some pages

    Reply

  15. Grace wrote on :

    Grace Oni is my name, is there any other steps to remove the page

    Reply

  16. Molemo Molai wrote on :

    I cannot connect to this site even though it is https. I’m launching it from http://standardbank.co.za and I get this error message “Secure connection failed”. I do not even have the “Advanced” button to bypass the error message.

    Reply

  17. Neal T wrote on :

    Great, when I do the crossword it thinks I am filing in a password and keeps giving me a warning

    http://www.universaluclick.com/puzzles/crosswords

    Reply

  18. nkwiyishimwe daniel wrote on :

    how about civil registration works in mukarange hc

    Reply

Post Your Comment