Clear-text form submission not suitably reflected as dangerous
Reported by
r...@robchahin.com,
Oct 19
|
|||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com /chromium/src/+/master/docs/security/faq.md Please see the following link for instructions on filing security bugs: https://www.chromium.org/Home/chromium-security/reporting-security-bugs Reports may be eligible for reward payments under the Chrome VRP: http://g.co/ChromeBugRewards NOTE: Security bugs are normally made public once a fix has been widely deployed. ------------------------- VULNERABILITY DETAILS The (i) indicator used in place of the padlock / warning sign in the address bar is ambiguous and does not communicate risk or danger to users. VERSION Chrome Version: 69.0.3497.100 stable Operating System: OSX 10.12.6 REPRODUCTION CASE Visit https://www.greenbusthailand.com/website/ This site is served as HTTPS with HTTP form submission for login: <a href="http://www.greenbusthailand.com/greenbus/internet/login.php" class="register">register</a> The grey (i) in the address bar does not convey any immediate risk in using this login form. Clicking on the (i) states that the connection is not "fully secure", which is ambiguous and hard for a typical user to get any information from. It seems unlikely that this icon is enough to deter the vast majority of people from entering login credentials here. One could argue that a cleartext form submission is not necessarily a bad thing, but this is explicitly labeled as a password field, so should be a red flag. A more direct warning could disincentivize website operators from engaging in such practices. CREDIT INFORMATION Reporter credit: Rob Chahin
,
Oct 20
,
Oct 20
,
Oct 22
We currently treat HTTP form actions as "mixed content" and downgrade the indicator as we would for passive mixed content (e.g., insecure images). Going forward this may be mis-aligned with our increasing HTTP-Bad efforts. This is not a security bug, per se, but we should track this as followup work for how we handle HTTP in Chrome. I agree that HTTP-forms-on-HTTPS pages is potentially _more_ concerning than HTTP-forms-on-HTTP pages (and we downgrade the indicator to "Dangerous" in that case on form edit now). We may want to try to align this case with the HTTP page behavior at least. For comparison, I've attached screenshots of the behavior of Safari Technology Preview and Firefox Nightly. Safari downgrades the security indicator (does not show the lock icon) and displays a prompt when the user tries to submit the form with a warning. Firefox shows the lock icon, but displays a prompt when the users tries to submit. We have generally avoided warnings like this, however, but this may be rare enough to not be as concerning as other warnings would be. Unfortunately, I think then only related metric we have is our generic mixed content use counter, which doesn't distinguish the type of mixed content. I think we're planning to add metrics that would cover this case though. Per the Mixed Content spec, we have fairly wide latitude on how we handle insecure form actions (https://www.w3.org/TR/mixed-content/#requirements-forms). We may warn users, or even treat it as blockable mixed content. +cc some other folks who may have thoughts about this.
,
Oct 22
Since we don't have Chrome metrics for this yet, I did a quick check of the HTTP Archive. My query (below) indicates that potentially 2.44% of pages are HTTPS and have an HTTP form action (this might under-count because it is only root pages on those domains).
#standardSQL
SELECT
AVG(IF(has_insecure_form_action
AND STARTS_WITH(LOWER(url),
"https://"), 1, 0)) AS p_insecure_forms
FROM (
SELECT
url,
REGEXP_CONTAINS(LOWER(body),
r'action=(\"|\')?http:\/\/') AS has_insecure_form_action
FROM
`httparchive.response_bodies.2018_10_01_desktop`
WHERE
page = url )
,
Oct 22
Going through the HTMLFormElement blink code I realized we do have a blink UseCounter for mixed content forms being present. Looks like the current value is around 0.23% of navigations have one. (https://www.chromestatus.com/metrics/feature/popularity#MixedContentFormPresent)
,
Oct 22
We also have one for actual submissions, which are much lower at around 0.02%. (https://www.chromestatus.com/metrics/feature/popularity#MixedContentFormsSubmitted)
,
Nov 15
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by palmer@chromium.org
, Oct 20Components: UI>Browser>Omnibox>SecurityIndicators
Labels: Team-Security-UX OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: cthomp@chromium.org
Status: Assigned (was: Unconfirmed)