February 1, 2016 By Douglas Bonderud 2 min read

Passwords are a problem. As noted by Gizmodo, 2015 was a banner year for terrible choices, with “123456” and “password” topping the list. But there’s another problem looming for passwords, even those chosen with care: requests over HTTP.

Despite pressure from search giant Google and the success of projects like Let’s Encrypt, HTTPS adoption remains slow — and password requests over its nonsecure sibling pose big problems for users and site owners alike. As a result, some companies are taking steps: Non-HTTPS password requests are now flagged by Firefox in an effort to beef up security and lower corporate risk.

Warning Signs for HTTP

According to SecurityWeek, Firefox DevEdition 46 will alert developers whether passwords are requested on nonsecure pages, displayed as a lock with a red strikethrough. Mozilla security engineer Tanvi Vyas said the new Firefox effort examines any Web page with an embedded password field against the WC3’s Secure Contexts Specification.

HTTP password fields fail this test since they carry the risk of allowing man-in-the-middle (MitM) attacks using JavaScript for keylogging or changing the destination of the submitted password to an attacker-controlled server.

Even password fields hidden without user interaction are still at risk. The only way to avoid getting flagged is by hosting login pages on HTTPS or migrating an entire website to the secure server. It’s worth noting, however, that only the Developer Edition of Firefox comes with a warning; the public doesn’t get the notification yet.

Risky Business

For businesses, this HTTP risk should act as a wake-up call: Users often duplicate passwords across multiple sites, meaning that a single MitM attack on a nonsecure page could compromise everything from user devices to essential network services. In other words, avoiding HTTPS doesn’t just put company data at risk, but also impacts the privacy of employees and consumers. This privacy is quickly becoming legislated instead of merely assumed, enforced instead of simply encouraged.

Consider a recent Google demonstration at the Usenix Enigma 2016 security conference where the search giant showcased an experimental marking system that flags all HTTP pages as insecure. ZDNet reported that users can get a sneak peek of the feature by typing “chrome://flags/” into the browser’s URL bar and then enabling “Mark nonsecure origins as nonsecure.”

While there’s no official release date for the feature to become a default security setting in Chrome, the Chromium issue tracker indicated the company’s goal is to “mark nonsecure pages like HTTP using the same bad indicator as broken HTTPS.”

Developer warnings from Firefox and experimental efforts from Google lead to the same conclusion: Browser builders are calling out HTTP insecurities to enhance user privacy and encourage HTTPS adoption. Businesses have two choices: Get on board with the transition, or face the backlash as users seek secure alternatives.

More from

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today