Mozilla is taking another step to protect users, by adding a new warning icon when passwords are requested over non-secure connections.
Starting with Firefox DevEdition 46, developers will be informed about this privacy and security risk by displaying a lock with a red strikethrough when passwords are requested on non-secure pages. The browser has been alerting developers on the issue via the Developer Tools Web Console since Firefox 26.
In a recent blog post, Mozilla security engineer Tanvi Vyas explains that websites should handle usernames and passwords with care and should request the latter only over secure connections, such as HTTPS. However, since non-secure connections such as HTTP are often used to handle passwords, Firefox Developer Edition is now warning developers on the issue.
According to Vyas, Firefox examines the page a password field is embedded in to determine whether it is secure or not. The page is checked against the algorithm in the W3C’s Secure Contexts Specification to determine whether is secure or not and warns developers if it is non-secure, as such pages could be manipulated by a Man-In-The-Middle (MiTM) attacker.
The MiTM attacker can extract the password entered onto the non-secure page by modifying the form action to that the password is submitted to an attacker-controlled server or by using JavaScript to grab the contents of the password field before submission. Moreover, attackers could use JavaScript to log the user’s keystrokes and grab the password, without the user realizing they have been compromised.
Vyas also explains that these techniques render transmitting over HTTPS useless when it comes to preventing eavesdropping or active MITM attacks, because the HTTP page is non-secure. Even on websites that do not store sensitive information users’ security is put at risk, mainly because of many people reuse passwords over multiple sites.
The lock with a red strikethrough warning will be displayed even on pages where password fields are in a hidden until user interaction. Developers looking to remove the warning icon can do so by put their login forms on HTTPS pages or by migrating the entire website to HTTPS, Mozilla says.
For the time being, the warning icon remains visible only in the developer edition of Firefox, because developers are those who need to fix sites that could expose passwords. However, since Mozilla is committed to deprecate non-secure HTTP, more and more explicit indications of when things are not secure will appear, Vyas says.
Google is also pushing developers to more widely adopt HTTPS, and announced last month that it plans to favor HTTPS pages over their HTTP counterparts in search results.
Earlier this week, Mozilla released Firefox 44 , which dropped support for the vulnerable RC4 cipher. The company is also determined to kill support for the SHA-1 cryptographic hash function in the browser sometime over the 12 months or so.
