On Fri, Apr 15, 2016 at 5:45 PM, Matthew N. <ma...@mozilla.com> wrote:
> On 2016-04-15 7:47 AM, Tantek Çelik wrote: > >> What steps can we take in this direction WITHOUT breaking web compat? >> >> >> E.g. since one of the issues raised is that *every* time a user >> enters/submits a password over HTTP (not secure), it opens them to >> being sniffed etc., thus it's good to discourage the frequency. >> >> Some STRAW PROPOSALS that I expect others here (and UX folks) to >> easily improve on: >> >> 1. Warning (perhaps similar to the invalid red glow) on password >> inputs in forms with HTTP "action" >> > > We are making progress towards this and Aislinn Grigas from UX worked on a > design for something like this: > https://bugzilla.mozilla.org/attachment.cgi?id=8678150 > > We already started developer-specific warnings in the web console and in > the address bar of Nightly + Developer Edition: > https://hacks.mozilla.org/2016/01/login-forms-over-https-please/ > > There are some dependencies to fix before doing user-facing warnings which > we're currently working on. You can follow along in the bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1217162 > > 2. Warning (similarly) on HTTP-auth password dialogs >> > > This is https://bugzilla.mozilla.org/show_bug.cgi?id=1185145 which I > haven't seen a design for yet but should be less risky to implement than > for <input>. It is in the Firefox privacy/security team backlog. > Could we just disable HTTP auth for connections not protected with TLS? At least Basic auth is manifestly insecure over an insecure transport. I don't have any usage statistics, but I suspect it's pretty low compared to form-based auth. --Richard > Meta bug related to dealing with insecure login forms: > https://bugzilla.mozilla.org/show_bug.cgi?id=1217142 > > Thanks, > Matthew N. > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform