Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Firefox Warns of Password Requests Over HTTP

Mozilla is taking another step to protect users, by adding a new warning icon when passwords are requested over non-secure connections.

Mozilla is taking another step to protect users, by adding a new warning icon when passwords are requested over non-secure connections.

Starting with Firefox DevEdition 46, developers will be informed about this privacy and security risk by displaying a lock with a red strikethrough when passwords are requested on non-secure pages. The browser has been alerting developers on the issue via the Developer Tools Web Console since Firefox 26.

In a recent blog post, Mozilla security engineer Tanvi Vyas explains that websites should handle usernames and passwords with care and should request the latter only over secure connections, such as HTTPS. However, since non-secure connections such as HTTP are often used to handle passwords, Firefox Developer Edition is now warning developers on the issue.

According to Vyas, Firefox examines the page a password field is embedded in to determine whether it is secure or not. The page is checked against the algorithm in the W3C’s Secure Contexts Specification to determine whether is secure or not and warns developers if it is non-secure, as such pages could be manipulated by a Man-In-The-Middle (MiTM) attacker.

The MiTM attacker can extract the password entered onto the non-secure page by modifying the form action to that the password is submitted to an attacker-controlled server or by using JavaScript to grab the contents of the password field before submission. Moreover, attackers could use JavaScript to log the user’s keystrokes and grab the password, without the user realizing they have been compromised.

Vyas also explains that these techniques render transmitting over HTTPS useless when it comes to preventing eavesdropping or active MITM attacks, because the HTTP page is non-secure. Even on websites that do not store sensitive information users’ security is put at risk, mainly because of many people reuse passwords over multiple sites.

The lock with a red strikethrough warning will be displayed even on pages where password fields are in a hidden until user interaction. Developers looking to remove the warning icon can do so by put their login forms on HTTPS pages or by migrating the entire website to HTTPS, Mozilla says.

For the time being, the warning icon remains visible only in the developer edition of Firefox, because developers are those who need to fix sites that could expose passwords. However, since Mozilla is committed to deprecate non-secure HTTP, more and more explicit indications of when things are not secure will appear, Vyas says.

Advertisement. Scroll to continue reading.

Google is also pushing developers to more widely adopt HTTPS, and announced last month that it plans to favor HTTPS pages over their HTTP counterparts in search results.

Earlier this week, Mozilla released Firefox 44 , which dropped support for the vulnerable RC4 cipher. The company is also determined to kill support for the SHA-1 cryptographic hash function in the browser sometime over the 12 months or so.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.