Hacker News new | ask | show | jobs
by osolo 3794 days ago
I wish they outlined a plan to push this icon out to Stable. Even better the plan should call for the browser to eventually refuse to submit forms with password fields unless HTTPS was used for both loading the form and submitting it.

I think that developers who are still using HTTP with passwords either don't understand the implications (and a tiny icon won't help), don't care, or don't have "management buy-in" to spend the time to fix it. Having the browser force best security practices will benefit them and everyone using their websites.
1 comments
jakub_g 3794 days ago
Browser should display a scary warning popup when submitting form to http (either always, or maybe at least when there is input type=password in a form). This would be annoying enough to get management buy-in to implement https, if someone still maintains the app - better than a tiny icon.

Breaking stuff is a last resort, nuclear option. There are many forgotten, old web apps that would totally stop working and people would switch to another, less secure browser as a result.

link
nandhp 3794 days ago
They used to -- see http://www.kentlaw.edu/faculty/rwarner/classes/legalaspects/... (ยง2.4, about half-way down) and http://labs.ft.com/2014/05/do-we-really-need-to-hide-the-url...

But it was removed in later versions of Netscape and Internet Explorer, because everyone turned it off as soon as they made their first search engine query.

link
jakub_g 3794 days ago
I remember that, though honestly internet was a bit different 15 years ago - it was in (almost)-pre-HTTPS, pre-public-WiFi, pre-Snowden times. It's time to progress now that the realities and technical capabilities changed.

Today there should not be "do not display this anymore" checkbox.

link
martingordon 3794 days ago
FWIW, 1Password will do this: https://15254b2dcaab7f5478ab-24461f391e20b7336331d5789078af5... (not my image)

1Password will also refuse to autofill passwords when it can't verify the application's signature (for example, if Chrome hasn't been updated in a while).

link
kqr 3794 days ago
That is not particularly scary though. That's the kind of thing a user will automatically press "next" on. This is the kind of warning that looks scary: http://i.stack.imgur.com/2kaXO.png
link