HTTP passwords are marked secure about materialfox HOT 15 CLOSED

Just for clarification; I'd like to make text red and provide a warning icon for broken HTTPS like in Chrome, but Firefox does not provide a selector for that specific case.

Insecure forms now make text red and have a warning icon.

Please let me know what you think of these changes :)

from materialfox.

When looking at a normal HTTP site, the lock changes to an info icon like Chrome (please recommend users to enable security.insecure_connection_text.enabled for the "Not Secure" text - see PR #27).

Merged pull request so this should be working now, though it won't work for the broken HTTPS case.

However, when looking at a HTTP site with a password field, the info icon persists but the normal lock icon persists too, which is a huge security issue.

Fixed in d763d69.

I would recommend swapping the broken lock with the warning icon and when the icon exists, make the whole text red, like Chrome in October (also available now on broken HTTPS, FWIW).

Not sure this is possible in Firefox for the broken HTTPS case because it doesn't provide selectors for it. The only selector for it is .unknownIdentity but this is also added for virtually every "insecure" case, including the plain old HTTP case, so I have no way to distinguish it. I should be able to do something about the HTTP password case though. Will tackle that a bit later.

from materialfox.

Not sure this is possible in Firefox for the broken HTTPS case because it doesn't provide selectors for it.

Oops, I meant the broken HTTPS on Chromium, as in the red indicator can already be viewed without waiting for October.

The only selector for it is .unknownIdentity but this is also added for virtually every "insecure" case, including the plain old HTTP case, so I have no way to distinguish it.

.insecureLoginForms, no?

I should be able to do something about the HTTP password case though. Will tackle that a bit later.

You could just replace the broken lock with the red triangle for now.

from materialfox.

I guess Firefox doesn't provide that as they don't want to make the indicator and full-page warning conflict (so people wouldn't think that the warning is not secure) . I recall that the broken lock should still appear when you ignore the full-page warning.

from materialfox.

https://wrong.host.badssl.com/ still won't feature any "Not secure" text purely because Firefox doesn't add it to the DOM but the correct icon and colour should be shown throughout.

from materialfox.

I've tested b33f56f under each scenario described here and many more:

unknownIdentity
verifiedIdentity
verifiedDomain
mixedActiveBlocked
mixedDisplayContent
mixedDisplayContentLoadedActiveBlocked
certUserOverriden
mixedActiveContent
insecureLoginForms
chromeUI
extensionPage

And it behaves as closely as possible to Chrome. I'll close this but feel free to open if there's something I've missed or it requires further discussion.

from materialfox.

On 63.0b9 as of 8ca2049, HTTP passwords are displayed the same as other HTTP sites . When forcing the broken padlock for all HTTP (security.insecure_connection_icon.enabled), the info icon resets to the Firefox one.

I cannot reopen the issue, so I hope you see this regardless.
Edit: same Firefox info icons appear on extension-defined pages, such as settings.

from materialfox.

That commit fixed the Firefox-style info icons with the mentioned flag enabled but not extension pages (e.g. uBlock Origin settings), which display both the Fx info icon and extension icon.

Also there is still no more red triangle on HTTP passwords, is your goal to be consistent with current stable Chromium? (so I'd assume you'll add it when version 70 gets released)

from materialfox.

I'm on 70.0.3538.35 and I don't see a red triangle for HTTP passwords. Is there something I'm missing?

from materialfox.

Oh I see, it's hidden behind chrome://flags/#enable-mark-http-as Enabled (mark as actively dangerous). Is this going to become the default at some point? Because currently, the default in 70 is to display the grey "Not secure" text with the info icon, not red warning icon and text.

from materialfox.

Not sure how development versions work, but stable will add a red triangle when writing text to any HTTP input. Since Firefox does not currently check for that, the best you can do (without an extension) is make it work the way it already does - marking HTTP pages with password fields insecure.

You can test it now by setting the flag to
(mark with a Not Secure warning and dangerous on form edits).

from materialfox.

Warning icon will now appear for HTTP passwords in Firefox.

from materialfox.

Can confirm it working now.

The setting security.insecure_connection_icon.enabled doesn't change anything now, but it is a hidden, default-disabled setting anyway...
You can support it if you prefer, but I believe Chromium will change the "Not Secure" default to red triangle soon anyway (rumored early next year), so it could be the default as a part of this theme too.

from materialfox.

I should probably support that pref but not sure if I can be bothered. I'll have a think about it.

from materialfox.

I'll leave it as is and close this issue.

from materialfox.