Security Experts:

Firefox 52 Warns of Login Fields on Insecure Pages

Released this week, the latest version of the Firefox Web browser warns users when they are entering their passwords on pages that are not secure.

The change was initially announced last year, when Mozilla introduced the warning in Firefox DevEdition 46, in an attempt to raise awareness on the risks that requesting sensitive information over non-secure connections pose. Last year, the warning was meant for developers, but the latest browser release brings it to end-users as well.

Starting with Firefox 52.0, users will receive a warning when encountering non-secure HTTP pages with logins. A “This connection is not secure” message will be automatically displayed when the user clicks into the username and password fields on any page that doesn’t use HTTPS.

Starting with the release of Firefox 51 in January, the browser has been displaying a struck-through lock icon for all pages that don’t use HTTPS, to make it clear that those pages are not secure. It even displayed a warning when users were entering a password on an insecure page. Now, the warning message is displayed as soon as the user clicks on the username or password field.

Firefox 52 also implements the Strict Secure Cookies specification, thus forbidding insecure HTTP sites from setting cookies with the “secure” attribute. In the newly published release notes, Mozilla explains that this change will prevent insecure sites from setting cookies with the same name as an existing “secure” cookie from the same base domain.

The browser update brings a variety of bug fixes as well, including patches for Critical issues: asm.js JIT-spray bypass of ASLR and DEP; Memory Corruption when handling ErrorResult; Use-after-free working with events in FontFace objects; Use-after-free using addRange to add range to an incorrect root object; Use-after-free working with ranges in selections; and memory safety bugs.

High risk vulnerabilities were also addressed in Firefox 52, such as: Segmentation fault in Skia with canvas operations; Pixel and history stealing via floating-point timing side channel with SVG filters; Memory corruption during JavaScript garbage collection incremental sweeping; and Use-after-free in Buffer Storage in libGLES (affecting Windows computers only).

Firefox 52.0 was released with support for all major desktop platforms, namely Linux, macOS, and Windows. Furthermore, it is part of the ESR (Extended Support Release) branch, meaning that it should receive support for about a year.

Related: Firefox 51 Patches Flaws, Introduces New HTTP Warning

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Related: Mozilla Re-Enables Support for SHA-1 in Firefox

view counter