Passwords are a problem. As noted by Gizmodo, 2015 was a banner year for terrible choices, with “123456” and “password” topping the list. But there’s another problem looming for passwords, even those chosen with care: requests over HTTP.
Despite pressure from search giant Google and the success of projects like Let’s Encrypt, HTTPS adoption remains slow — and password requests over its nonsecure sibling pose big problems for users and site owners alike. As a result, some companies are taking steps: Non-HTTPS password requests are now flagged by Firefox in an effort to beef up security and lower corporate risk.
Warning Signs for HTTP
According to SecurityWeek, Firefox DevEdition 46 will alert developers whether passwords are requested on nonsecure pages, displayed as a lock with a red strikethrough. Mozilla security engineer Tanvi Vyas said the new Firefox effort examines any Web page with an embedded password field against the WC3’s Secure Contexts Specification.
HTTP password fields fail this test since they carry the risk of allowing man-in-the-middle (MitM) attacks using JavaScript for keylogging or changing the destination of the submitted password to an attacker-controlled server.
Even password fields hidden without user interaction are still at risk. The only way to avoid getting flagged is by hosting login pages on HTTPS or migrating an entire website to the secure server. It’s worth noting, however, that only the Developer Edition of Firefox comes with a warning; the public doesn’t get the notification yet.
Risky Business
For businesses, this HTTP risk should act as a wake-up call: Users often duplicate passwords across multiple sites, meaning that a single MitM attack on a nonsecure page could compromise everything from user devices to essential network services. In other words, avoiding HTTPS doesn’t just put company data at risk, but also impacts the privacy of employees and consumers. This privacy is quickly becoming legislated instead of merely assumed, enforced instead of simply encouraged.
Consider a recent Google demonstration at the Usenix Enigma 2016 security conference where the search giant showcased an experimental marking system that flags all HTTP pages as insecure. ZDNet reported that users can get a sneak peek of the feature by typing “chrome://flags/” into the browser’s URL bar and then enabling “Mark nonsecure origins as nonsecure.”
While there’s no official release date for the feature to become a default security setting in Chrome, the Chromium issue tracker indicated the company’s goal is to “mark nonsecure pages like HTTP using the same bad indicator as broken HTTPS.”
Developer warnings from Firefox and experimental efforts from Google lead to the same conclusion: Browser builders are calling out HTTP insecurities to enhance user privacy and encourage HTTPS adoption. Businesses have two choices: Get on board with the transition, or face the backlash as users seek secure alternatives.