Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Firefox 52 Warns of Login Fields on Insecure Pages

Released this week, the latest version of the Firefox Web browser warns users when they are entering their passwords on pages that are not secure.

Released this week, the latest version of the Firefox Web browser warns users when they are entering their passwords on pages that are not secure.

The change was initially announced last year, when Mozilla introduced the warning in Firefox DevEdition 46, in an attempt to raise awareness on the risks that requesting sensitive information over non-secure connections pose. Last year, the warning was meant for developers, but the latest browser release brings it to end-users as well.

Starting with Firefox 52.0, users will receive a warning when encountering non-secure HTTP pages with logins. A “This connection is not secure” message will be automatically displayed when the user clicks into the username and password fields on any page that doesn’t use HTTPS.

Starting with the release of Firefox 51 in January, the browser has been displaying a struck-through lock icon for all pages that don’t use HTTPS, to make it clear that those pages are not secure. It even displayed a warning when users were entering a password on an insecure page. Now, the warning message is displayed as soon as the user clicks on the username or password field.

Firefox 52 also implements the Strict Secure Cookies specification, thus forbidding insecure HTTP sites from setting cookies with the “secure” attribute. In the newly published release notes, Mozilla explains that this change will prevent insecure sites from setting cookies with the same name as an existing “secure” cookie from the same base domain.

The browser update brings a variety of bug fixes as well, including patches for Critical issues: asm.js JIT-spray bypass of ASLR and DEP; Memory Corruption when handling ErrorResult; Use-after-free working with events in FontFace objects; Use-after-free using addRange to add range to an incorrect root object; Use-after-free working with ranges in selections; and memory safety bugs.

High risk vulnerabilities were also addressed in Firefox 52, such as: Segmentation fault in Skia with canvas operations; Pixel and history stealing via floating-point timing side channel with SVG filters; Memory corruption during JavaScript garbage collection incremental sweeping; and Use-after-free in Buffer Storage in libGLES (affecting Windows computers only).

Firefox 52.0 was released with support for all major desktop platforms, namely Linux, macOS, and Windows. Furthermore, it is part of the ESR (Extended Support Release) branch, meaning that it should receive support for about a year.

Advertisement. Scroll to continue reading.

Related: Firefox 51 Patches Flaws, Introduces New HTTP Warning

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Related: Mozilla Re-Enables Support for SHA-1 in Firefox

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.