Firefox 49: HTTP passwords on HTTPS sites

Mozilla plans to launch an update for the built-in password manager in Firefox that will make HTTP passwords work on HTTPS sites as well.

If you use the built-in functionality to save passwords in Firefox currently, you may know that the manager distinguishes between HTTP and HTTPS protocols.

When you save a password for http://www.example.com/, it won't work on https://www.example.com/. When you visit the site using HTTPS later on, Firefox won't suggest the username and password saved previously when connected via HTTP.

One option was to save passwords for HTTP and HTTPS sites separately, another to open the password manager and copy username and password manually whenever needed on the HTTPS version of a site.

With more and more sites migrating to HTTPS, or at least providing users with a HTTPS option to connect to it, it was time to evaluate the Firefox password manager behavior in this regard.

Firefox 49: HTTP passwords on HTTPS sites

firefox http login https password manager

Mozilla made the decision to change the behavior in the following way starting with the release of Firefox 49.

Passwords for the HTTP protocol will work automatically when connected via HTTPS to the same site. In other words, if a HTTP password is stored in Firefox, it will be used for HTTP and HTTPS sites when Firefox 49 is released.

The other way around does not however. Passwords saved explicitly for HTTPS, won't be used when a user connects to the HTTP version of the site. The main reason for this is security. More precisely, because HTTP does not use encryption, and that password and username may be recorded easily by third-parties.

If you have a saved HTTPS username/password for a given domain, we will not populate those credentials on the HTTP version of the same domain.

Check out the bug listing on Bugzilla if you are interested in the discussion that led to the change in Firefox 49.

Read also:  Mozilla might offer Freemium services in the future

Closing Words

Firefox users who use the password manager of the web browser may notice the change once their version of the browser is updated to version 49. It should make things a bit more comfortable for those users, especially if a lot of HTTP passwords are saved already.

With more and more sites migrating over to HTTPS, it is likely that this will be beneficial to users of the browser. (via Sören)

Now You: Do you use the native password manager in Firefox?

Summary
Article Name
Firefox 49: HTTP passwords on HTTPS sites
Description
Mozilla plans to launch an update for the built-in password manager in Firefox that will make HTTP passwords work on HTTPS sites as well.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Firefox 49: HTTP passwords on HTTPS sites

  1. Somedude August 12, 2016 at 9:26 am #

    A bit off-topic, but I wish they also did this for the cookie whitelist. It's tedious to whitelist both http and https for each site. (I'm aware there are addons for this)

    • Dave August 12, 2016 at 11:07 am #

      ooooohhh. This explains a lot

    • Tom Hawack August 12, 2016 at 2:12 pm #

      There's a Firefox add-on that handles cookies permissions quite well, basic (not bloated) but includes http and https when adding/removing permissions for a given site : 'Permit Cookies 2'

      I use it together with the excellent 'Self-Destructing Cookies'
      Does the job and avoids having to go through what you mention.

      --

      About Firefox 49: HTTP passwords on HTTPS sites, that's just fine. Reminds as well that if a site can be accessed by both http and https (some domains do allow both) always choose https, of course. If you run HTTPSEverywhere it should be handled provided the url is listed, otherwise (and that's my choice) another lesser known add-on called 'Smart HTTPS' is brilliant and ... smarter IMO than the former.

    • Maelish August 12, 2016 at 3:33 pm #

      Wow, talk about forehead slapping moment! I didn't realize cookies were affected either.

  2. wybo August 12, 2016 at 10:37 am #

    That is good news.

    I only use FF pw manager for less critical sites. So non financial and no email sites for example.

    Thanks once again for your great site.

  3. David Naylor August 13, 2016 at 12:19 am #

    This is a great improvement. I hope they can do the same for different subdomains as well. For instance, I may have saved my login for http://www.abc.com. When I return six months later, it uses login.abc.com to handle the login. Firefox should suggest logins from one subdomain for any other you may visit at the same main domain.

  4. Earl August 13, 2016 at 3:41 pm #

    Strange. Every site I'm familiar with uses the same account info (username/password) regardless of whether http or https. It's not required to secure the entire page in order to secure the username and password.

  5. Wolfbeast August 14, 2016 at 10:54 am #

    I use the internal password manager all the time (with a master password of course), and it's never an inconvenience.
    I'd say crossing the http/https boundary for convenience's sake is a risk either way.

    If websites want to upgrade their security for logins from http to https, that should always be accompanied with a mandatory change of password (previous logins may already have been observed unencrypted) so either way, people would have to enter their password manually (one time! is once "too much", really?) to update their login.

Leave a Reply