On Thu, Apr 14, 2016 at 11:54 AM, Chris Peterson <cpeter...@mozilla.com> wrote: > * Sites that allow users to configure preferences without logging into an > account would forget the users' preferences if they are not using HTTPS. For > example, companies that have regional sites would forget the user's selected > region at the end of the browser session.
This also applies to any site that does login over insecure HTTP, right? Hopefully this isn't the Alexa top 25, but there's a long tail of small sites out there that lots of users spend lots of time on, like web forums, which last I checked do not typically use HTTPS. I'm concerned that this change would significantly degrade a lot of users' experience. To the user, this looks like "In Firefox I have to log in again every time, but in other browsers I don't." Moreover, if a site has login over insecure HTTP, clearing cookies at the end of each session makes use of the site less secure, not more. It will force users to submit their passwords in plaintext at the beginning of every session, which allows the attacker to take over as the user forever. If the user only logs in once and keeps the cookies for a long period (e.g., 30 days), an attacker who intercepts only one session would only be able to control the user's account until the cookie expires. Also, the user's password could be used to log in as the user on other sites, because of password reuse, whereas the cookie cannot be used this way. These other sites could include banks, e-mail, etc., even if the site being attacked is a small web forum or such. This is a much more severe vulnerability in practice than just taking over the current session. It might be possible to special-case login cookies, perhaps defined as cookies that are set in response to submission of a password field, and let them persist beyond the end of the session. I would still be wary of the UX implications of forgetting preferences, though. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
