Firefox 49: HTTP passwords on HTTPS sites
Mozilla plans to launch an update for the built-in password manager in Firefox that will make HTTP passwords work on HTTPS sites as well.
If you use the built-in functionality to save passwords in Firefox currently, you may know that the manager distinguishes between HTTP and HTTPS protocols.
When you save a password for http://www.example.com/, it won't work on https://www.example.com/. When you visit the site using HTTPS later on, Firefox won't suggest the username and password saved previously when connected via HTTP.
One option was to save passwords for HTTP and HTTPS sites separately, another to open the password manager and copy username and password manually whenever needed on the HTTPS version of a site.
With more and more sites migrating to HTTPS, or at least providing users with a HTTPS option to connect to it, it was time to evaluate the Firefox password manager behavior in this regard.
Firefox 49: HTTP passwords on HTTPS sites
Mozilla made the decision to change the behavior in the following way starting with the release of Firefox 49.
Passwords for the HTTP protocol will work automatically when connected via HTTPS to the same site. In other words, if a HTTP password is stored in Firefox, it will be used for HTTP and HTTPS sites when Firefox 49 is released.
The other way around does not however. Passwords saved explicitly for HTTPS, won't be used when a user connects to the HTTP version of the site. The main reason for this is security. More precisely, because HTTP does not use encryption, and that password and username may be recorded easily by third-parties.
If you have a saved HTTPS username/password for a given domain, we will not populate those credentials on the HTTP version of the same domain.
Check out the bug listing on Bugzilla if you are interested in the discussion that led to the change in Firefox 49.
Closing Words
Firefox users who use the password manager of the web browser may notice the change once their version of the browser is updated to version 49. It should make things a bit more comfortable for those users, especially if a lot of HTTP passwords are saved already.
With more and more sites migrating over to HTTPS, it is likely that this will be beneficial to users of the browser. (via Sören)
Now You: Do you use the native password manager in Firefox?
I use the internal password manager all the time (with a master password of course), and it’s never an inconvenience.
I’d say crossing the http/https boundary for convenience’s sake is a risk either way.
If websites want to upgrade their security for logins from http to https, that should always be accompanied with a mandatory change of password (previous logins may already have been observed unencrypted) so either way, people would have to enter their password manually (one time! is once “too much”, really?) to update their login.
Strange. Every site I’m familiar with uses the same account info (username/password) regardless of whether http or https. It’s not required to secure the entire page in order to secure the username and password.
This is a great improvement. I hope they can do the same for different subdomains as well. For instance, I may have saved my login for http://www.abc.com. When I return six months later, it uses login.abc.com to handle the login. Firefox should suggest logins from one subdomain for any other you may visit at the same main domain.
That is good news.
I only use FF pw manager for less critical sites. So non financial and no email sites for example.
Thanks once again for your great site.
A bit off-topic, but I wish they also did this for the cookie whitelist. It’s tedious to whitelist both http and https for each site. (I’m aware there are addons for this)
Wow, talk about forehead slapping moment! I didn’t realize cookies were affected either.
There’s a Firefox add-on that handles cookies permissions quite well, basic (not bloated) but includes http and https when adding/removing permissions for a given site : ‘Permit Cookies 2’
I use it together with the excellent ‘Self-Destructing Cookies’
Does the job and avoids having to go through what you mention.
—
About Firefox 49: HTTP passwords on HTTPS sites, that’s just fine. Reminds as well that if a site can be accessed by both http and https (some domains do allow both) always choose https, of course. If you run HTTPSEverywhere it should be handled provided the url is listed, otherwise (and that’s my choice) another lesser known add-on called ‘Smart HTTPS’ is brilliant and … smarter IMO than the former.
ooooohhh. This explains a lot