Firefox 49: HTTP passwords on HTTPS sites - gHacks Tech News

Firefox 49: HTTP passwords on HTTPS sites

Mozilla plans to launch an update for the built-in password manager in Firefox that will make HTTP passwords work on HTTPS sites as well.

If you use the built-in functionality to save passwords in Firefox currently, you may know that the manager distinguishes between HTTP and HTTPS protocols.

When you save a password for http://www.example.com/, it won't work on https://www.example.com/. When you visit the site using HTTPS later on, Firefox won't suggest the username and password saved previously when connected via HTTP.

One option was to save passwords for HTTP and HTTPS sites separately, another to open the password manager and copy username and password manually whenever needed on the HTTPS version of a site.

With more and more sites migrating to HTTPS, or at least providing users with a HTTPS option to connect to it, it was time to evaluate the Firefox password manager behavior in this regard.

Firefox 49: HTTP passwords on HTTPS sites

firefox http login https password manager

Mozilla made the decision to change the behavior in the following way starting with the release of Firefox 49.

Passwords for the HTTP protocol will work automatically when connected via HTTPS to the same site. In other words, if a HTTP password is stored in Firefox, it will be used for HTTP and HTTPS sites when Firefox 49 is released.

The other way around does not however. Passwords saved explicitly for HTTPS, won't be used when a user connects to the HTTP version of the site. The main reason for this is security. More precisely, because HTTP does not use encryption, and that password and username may be recorded easily by third-parties.

If you have a saved HTTPS username/password for a given domain, we will not populate those credentials on the HTTP version of the same domain.

Check out the bug listing on Bugzilla if you are interested in the discussion that led to the change in Firefox 49.

Closing Words

Firefox users who use the password manager of the web browser may notice the change once their version of the browser is updated to version 49. It should make things a bit more comfortable for those users, especially if a lot of HTTP passwords are saved already.

With more and more sites migrating over to HTTPS, it is likely that this will be beneficial to users of the browser. (via Sören)

Now You: Do you use the native password manager in Firefox?

Summary
Firefox 49: HTTP passwords on HTTPS sites
Article Name
Firefox 49: HTTP passwords on HTTPS sites
Description
Mozilla plans to launch an update for the built-in password manager in Firefox that will make HTTP passwords work on HTTPS sites as well.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Somedude said on August 12, 2016 at 9:26 am
    Reply

    A bit off-topic, but I wish they also did this for the cookie whitelist. It’s tedious to whitelist both http and https for each site. (I’m aware there are addons for this)

    1. Dave said on August 12, 2016 at 11:07 am
      Reply

      ooooohhh. This explains a lot

    2. Tom Hawack said on August 12, 2016 at 2:12 pm
      Reply

      There’s a Firefox add-on that handles cookies permissions quite well, basic (not bloated) but includes http and https when adding/removing permissions for a given site : ‘Permit Cookies 2’

      I use it together with the excellent ‘Self-Destructing Cookies’
      Does the job and avoids having to go through what you mention.

      About Firefox 49: HTTP passwords on HTTPS sites, that’s just fine. Reminds as well that if a site can be accessed by both http and https (some domains do allow both) always choose https, of course. If you run HTTPSEverywhere it should be handled provided the url is listed, otherwise (and that’s my choice) another lesser known add-on called ‘Smart HTTPS’ is brilliant and … smarter IMO than the former.

    3. Maelish said on August 12, 2016 at 3:33 pm
      Reply

      Wow, talk about forehead slapping moment! I didn’t realize cookies were affected either.

  2. wybo said on August 12, 2016 at 10:37 am
    Reply

    That is good news.

    I only use FF pw manager for less critical sites. So non financial and no email sites for example.

    Thanks once again for your great site.

  3. David Naylor said on August 13, 2016 at 12:19 am
    Reply

    This is a great improvement. I hope they can do the same for different subdomains as well. For instance, I may have saved my login for http://www.abc.com. When I return six months later, it uses login.abc.com to handle the login. Firefox should suggest logins from one subdomain for any other you may visit at the same main domain.

  4. Earl said on August 13, 2016 at 3:41 pm
    Reply

    Strange. Every site I’m familiar with uses the same account info (username/password) regardless of whether http or https. It’s not required to secure the entire page in order to secure the username and password.

  5. Wolfbeast said on August 14, 2016 at 10:54 am
    Reply

    I use the internal password manager all the time (with a master password of course), and it’s never an inconvenience.
    I’d say crossing the http/https boundary for convenience’s sake is a risk either way.

    If websites want to upgrade their security for logins from http to https, that should always be accompanied with a mandatory change of password (previous logins may already have been observed unencrypted) so either way, people would have to enter their password manually (one time! is once “too much”, really?) to update their login.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.