W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Craig Francis <craig.francis@gmail.com>
Date: Sat, 3 Jan 2015 07:55:53 +0000
Cc: Jiri Danek <softwaredevjirka@gmail.com>, "mozilla-dev-security@lists.mozilla.org" <mozilla-dev-security@lists.mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, blink-dev <blink-dev@chromium.org>
Message-Id: <B26D97B8-D920-407A-B321-67B4F95C92A8@gmail.com>
To: Jim Manico <jim.manico@owasp.org>

> On 2 Jan 2015, at 22:09, Jim Manico <jim.manico@owasp.org> wrote:
> 
> So I say the browser absolutely knows that the data is - it's data that is sent over a field that a developer specifically labeled as a password. Passwords must be sent over HTTPS or nothing in today's threatscape.


Hi Jim,

I really appreciate what you're saying, and I would really like this as well.

But think about it from the typical programmers point of view... their customers/managers might complain that the password field "looks odd" (the warning approach - where they won't read the error message, that's too difficult)... or does not work at all.

That developer might implement HTTPS... but in most cases (because they don't have time, or possibly too lazy, with a manager saying "just fix it, and there's no budget for this"), they will just change the input type to "text"... and possibly copy/paste a jQuery plugin that will "bring back the dots", e.g.

http://www.jqueryscript.net/form/iOS-Like-Plain-Text-Input-of-Password-with-jQuery-mobilePassword-Plugin.html

http://css-tricks.com/better-password-inputs-iphone-style/

That's assuming the developer does not say that the browser is broken, and they should use a different one (I've unfortunately seen this response a few times before).

Craig
Received on Saturday, 3 January 2015 07:56:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC