As described above, active attackers can MITM an HTTP connection between the server and the user’s computer to change the contents of the webpage. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. We get this question a lot, so I thought I would call it out specifically. Why isn’t submitting over HTTPS enough? Why does the page have to be HTTPS? Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.įirefox has been alerting developers of this issue via the Developer Tools Web Console since Firefox 26.
Use javascript to grab the contents of the password field before submission and send it to the attacker’s server.Then seamlessly redirect to the intended destination, while sending along the stolen password. Change the form action so the password submits to an attacker controlled server instead of the intended destination.
The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker. The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. How does Firefox determine if a password field is secure or not?įirefox determines if a password field is secure by examining the page it is embedded in. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS.
Username and password pairs control access to users’ personal data. See this post for more details.įirefox Developer Edition 46 warns developers when login credentials are requested over HTTP. Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.
0 kommentar(er)
