W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 26 Dec 2014 12:49:25 -1000
Message-ID: <549DE5F5.4040707@owasp.org>
To: Craig Francis <craig.francis@gmail.com>, Jiri Danek <softwaredevjirka@gmail.com>
CC: "mozilla-dev-security@lists.mozilla.org" <mozilla-dev-security@lists.mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, blink-dev <blink-dev@chromium.org>
Submitting a password over HTTP. I mean, this is a really LOW bar to 
win. May I suggest a few phases?

Phase 1 = warn the user when they are about to submit a password field 
over HTTP (do some browsers do this already?)
Phase 2 = submit a recommendation and guidance to have development tools 
warn the developers somehow during development...
Phase 3 = ban this practice in the browser someday

On 12/26/14 12:38 PM, Craig Francis wrote:
>> On 26 Dec 2014, at 22:20, Jiri Danek <softwaredevjirka@gmail.com> wrote:
>>
>> Have there been any suggestions what to do about <FORM>s sent over HTTP that include <INPUT type="password">? For example marking the password field itself as dubious/insecure? (I am absolutely not saying that is what browsers should be doing, mind you)
>
> Oh, just set the form action to an invalid HTTPS url, and change it with JS on the submit event, or just send via AJAX... see perfectly secure (no warnings), you can even use rot-13 for extra protection... and who cares about non JS browsers? :-P
>
> Seriously though, we need to start moving over to HTTPS only... baby steps at first (e.g. tiny UI hints to educate users), fix the issues (e.g. issuing and installing certs), but we can get there eventually :-)
>
> Craig
Received on Friday, 26 December 2014 22:50:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC