Mozilla Hacks

Login Forms over HTTPS, Please

By Tanvi Vyas

Posted on January 28, 2016 in Firefox Releases, Privacy, and Security

Update: This feature is now also enabled in Firefox Beta, starting with Firefox Beta 50.

Pretty much everyone who uses the web has used a password to log into something. And pretty much everyone who has used a password has put that password at risk by entering it into an insecure form.

In Firefox 46 Developer Edition, we display a prominent warning to developers about this risk.  When a page with a password field is not delivered securely, Firefox displays a lock with a red strikethrough in the address bar:

Firefox Developer Edition 46 shows a struck-through lock icon for non-secure pages that have a password field

If you’re submitting your login form over HTTPS, that’s good, but it’s not enough. You have to deliver the form over HTTPS too.  If the login form isn’t delivered over a secure channel, then an attacker can inject JavaScript code to steal the user’s password — every character the user types can be stolen by the attacker.

We’re releasing this feature in Developer Edition, since developers are ultimately the ones that need to make logins more secure on the sites they build.  (There are no current plans to show these warnings to users of Beta and general release Firefox.)  We’ve been displaying a warning in the Developer Tools Web Console for a long time; adding the struck-through lock icon to the URL bar makes the issue more prominent.

You can read more about this feature here.

About Tanvi Vyas

Security/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks

More articles by Tanvi Vyas…

12 comments

  1. Bjarni R. Einarsson

    Hello! This is a fantastic step forward.

    However, can we have an exception for localhost? Using the browser as a front-end for a local web server is an interesting way to develop very compelling apps (disclosure: I work on Mailpile, which is such an app), and it’s not a scenario where HTTPS makes sense (or is even available – you can’t get a cert for localhost).

    January 29th, 2016 at 08:02

    1. Tanvi Vyas

      You shouldn’t see this warning for localhost.

      January 29th, 2016 at 10:06

  2. Chris

    Although developers are the ones that need to make the form secure, it would still be useful for users in general to see this information, I think. Even if the user can’t fix it, at least they can be warned.

    January 29th, 2016 at 09:45

  3. Robert Thille

    The background of a password field should be red, and the source page/code shouldn’t be able to override that.

    January 29th, 2016 at 09:57

  4. Germ Torrentez

    Great Idea, but I think this should stay in the developer edition only. While some of us are lucky to work in environments where we have a lot of control over our “tech-stack” not many developers are fortunate enough.

    Plus until “Let’s Encrypt” or some other reputable ssl certs are issued free of charge it would be an unfair thing to expect everyone to be able to afford an ssl cert.

    January 29th, 2016 at 13:06

  5. allo

    > The background of a password field should be red, and the source page/code shouldn’t be able to override that.
    Nice idea, but easy to prevent: Make the whole login form red. Then nobody will notice it.

    January 29th, 2016 at 14:24

  6. voracity

    What about routers and other local network devices?

    January 30th, 2016 at 18:33

  7. Fabio

    Please consider enabling it also on standard releases. This will prevent a lot of phishings (they usually use plain HTTP).

    And then also for forms without a password field (to avoid phisings using a text field for passwords).

    Thanks!

    January 31st, 2016 at 02:47

  8. zdidit

    This is really nice for developers but for people using standard release also use passwords to enter into many personal accounts, It will be a good addition if it’s added to all the releases.

    Yeah getitng a ssl cert will be something that most of the people using standard release will not be possible but still they will have an option to add it whenever they feel the need.

    February 5th, 2016 at 08:30

  9. 234234

    qweqwe

    February 11th, 2016 at 10:40

  10. Albert

    Great to see it is bobbling up from Nightly :) ! Looking forward to 2017 when not using HTTPS gives you a warning.

    Hope to see this kind of warnings soon in the other browsers as well!

    February 22nd, 2016 at 19:00

  11. Wellington Torrejais da Silva

    Very Good!

    February 24th, 2016 at 14:18

Comments are closed for this article.