Firefox Will Warn About Password Fields On Insecure Pages
In 2017, Firefox Will Be Calling Out Password Fields On HTTP Pages.
Browsers do not like HTTP, and they are finally going to tell you about it. Earlier this year, Chrome announced that it would be warning users when a website presents a password field over HTTP.
Now Firefox has announced that they will also be warning about submitting passwords over HTTP. Mozilla developer Ryan Feeley posted about the upcoming behavior on his Twitter account.
The warning, which will premiere in Firefox 51 (planned release data in January 2017), will appear on any HTTP page that contains a password field. It does not matter if the page posts to (submits, for the non-developers) an HTTPS page, or if the password field is “hidden” (like arstechnica.com).
The warning will be released in two stages. In Firefox 51, the next version to be released, the warning will only appear in the address bar. The presence of a password field will cause a padlock with a red strike through it, along with a written explanation if you click the lock (as seen in the below screenshot taken in Firefox Nightly).
In Firefox 52, the warning will become more visible. Named the ‘contextual warning’, it appears directly below the password field when a user . Displaying the warning directly near the field will be important for visibility. A warning in the address bar is a good first step, but less likely to be noticed, especially since it may not have been initially displayed on the website if the login form is on a standalone page.
Eventually, Firefox hopes to also warn when credit card fields are present. But detecting those effectively is still in the works.
For both Chrome and Firefox, this change is a small step towards a larger plan to deprecate HTTP. Both browsers will increase the scope and severity of warnings against HTTP, which will be released in stages as HTTP use increases.
Firefox is also planning on disabling the autofill feature on HTTP pages. This is so the browser won’t be facilitating insecure transmissions of user credentials (this behavior is currently in Firefox Nightly)
Firefox 51 is planned for a January 2017 release. This will be around the same time that Chrome 56 ships with similar behavior.
For developers looking to learn more about Firefox’s treatment of password fields over HTTP, including the security risks of sending passwords insecurely and debugging information, see Mozilla’s dedicated doc. You have a little less than 2 months!
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown