Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Firefox Warns of Password Requests Over HTTP

Mozilla is taking another step to protect users, by adding a new warning icon when passwords are requested over non-secure connections.

Mozilla is taking another step to protect users, by adding a new warning icon when passwords are requested over non-secure connections.

Starting with Firefox DevEdition 46, developers will be informed about this privacy and security risk by displaying a lock with a red strikethrough when passwords are requested on non-secure pages. The browser has been alerting developers on the issue via the Developer Tools Web Console since Firefox 26.

In a recent blog post, Mozilla security engineer Tanvi Vyas explains that websites should handle usernames and passwords with care and should request the latter only over secure connections, such as HTTPS. However, since non-secure connections such as HTTP are often used to handle passwords, Firefox Developer Edition is now warning developers on the issue.

According to Vyas, Firefox examines the page a password field is embedded in to determine whether it is secure or not. The page is checked against the algorithm in the W3C’s Secure Contexts Specification to determine whether is secure or not and warns developers if it is non-secure, as such pages could be manipulated by a Man-In-The-Middle (MiTM) attacker.

The MiTM attacker can extract the password entered onto the non-secure page by modifying the form action to that the password is submitted to an attacker-controlled server or by using JavaScript to grab the contents of the password field before submission. Moreover, attackers could use JavaScript to log the user’s keystrokes and grab the password, without the user realizing they have been compromised.

Vyas also explains that these techniques render transmitting over HTTPS useless when it comes to preventing eavesdropping or active MITM attacks, because the HTTP page is non-secure. Even on websites that do not store sensitive information users’ security is put at risk, mainly because of many people reuse passwords over multiple sites.

The lock with a red strikethrough warning will be displayed even on pages where password fields are in a hidden until user interaction. Developers looking to remove the warning icon can do so by put their login forms on HTTPS pages or by migrating the entire website to HTTPS, Mozilla says.

For the time being, the warning icon remains visible only in the developer edition of Firefox, because developers are those who need to fix sites that could expose passwords. However, since Mozilla is committed to deprecate non-secure HTTP, more and more explicit indications of when things are not secure will appear, Vyas says.

Google is also pushing developers to more widely adopt HTTPS, and announced last month that it plans to favor HTTPS pages over their HTTP counterparts in search results.

Earlier this week, Mozilla released Firefox 44 , which dropped support for the vulnerable RC4 cipher. The company is also determined to kill support for the SHA-1 cryptographic hash function in the browser sometime over the 12 months or so.

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).