Do you run a website that asks your users to login to their account? If so, do you request those login credentials over HTTP rather than HTTPS?
It turns out that many websites do, including some big names who you would think would know better.
For instance, British supermarket Waitrose and the Royal Mail.
Now, it is possible that the developers of these websites believe that they have protected users’ passwords from hackers by ensuring that anything entered into those fields is posted securely via an encrypted HTTPS connection, but as security researcher Troy Hunt explained a few years ago there is still a problem.
As Troy demonstrates in the above YouTube video, sending transmitting login credentials over HTTPS does prevent hackers from snooping on the network traffic and grabbing users’ passwords, but it doesn’t stop a man-in-the-middle attack from stealing the password as it is entered into the unsecured HTTP form.
The answer is simple. Put your login forms on HTTPS pages, not HTTP pages. If you are not able to move your entire website to HTTPS just yet then at the very least create a separate login page that is served via HTTPS.
In an attempt to encourage web coders to make their sites safer for users, the latest developer edition of Firefox now warns when you visit a non-secure webpage that includes a form containing a password field.
And, if it finds one, it will display a padlock with a red slash cutting through it in the URL bar.
As Tanvi Vyas explains in a blog post, Firefox has been displaying alerts about the security issue via the Developer Tools Web Console since Firefox 26, but typical users are unlikely to have seen it there.
Since Mozilla and other browser manufacturers have made clear that they are working towards deprecating non-secure HTTP entirely in the long run, it’s clear that the warnings of when a site is found to be insecure are only going to become more and more explicit and prominent.
In other words, sooner or later the regular version of Firefox will warn you about websites like Waitrose and Royal Mail if they ask you to enter your password on an insecure non-HTTPS page.
Indeed, right now you can configure your regular version of Firefox to display a visual warning when you visit a website with an insecure login form:
- Open a new window or tab in Firefox.
- Type about:config and press enter.
- Click past the warning that you will be careful when changing settings.
- Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages. If you later wish to disable the option, set the value to false instead.
If you’re a web developer, make sure that you understand the dangers of asking for login credentials on an HTTP page, and fix your site now before your users start complaining about their browser warning them that you are putting them at unnecessary risk.