Hello Tanvi,
I already knew this setting, it highlights the desire from Mozilla to
keep the autofill feature active as much as possible, even if this means
security trade-offs:
- Initial issue: autofill fills credential even on forms submitting to
unusual third-party websites, some people expressed some concerns that
the autofill feature should be disabled but instead Firefox was modified
to more closely scrutinize the authentication form submission URL before
automatically filling it.
- Then it appeared that an attacker in control of the DNS answers can
keep the original URL while still redirecting automatic the
authentication forms submission to its own servers, so the setting you
mention has been added to limit autofilling to HTTPS forms.
- Then it appeared that JavaScript can be used to change the submission
URL once the authentication form has been automatically filled. I've
just checked with Firefox 52.4.0 on Linux Debian, Firefox is still
vulnerable to this attack: an attacker just has to change the submission
URL after Firefox automatically filled users credentials to send them to
any arbitrary HTTPS URL (frankly, I thought this was solved a long time
ago and reinforces me even more in my opinion).
- Would even Firefox be modified to handle automatically filled
authentication forms as a special case and turn some properties
read-only from JavaScript, potentially breaking some websites by the
way, this wouldn't prevent attacks relying on malicious or leaked CA
certificates for instance, + any additional techniques than the ones
mentioned above which most likely *will* be discovered in the future, as
long as browsers provide such functionality.
In my opinion, as a rule a web page should *never* be able to
automatically extract sensitive information from the browser's database
without user's consent.
- You can try to filter the form and submission URLs, the protocols, the
JavaScript methods, server certificates and I don't know what else and
still leave gaping holes in the process.
- Or you can simply require the user to click on an authentication form
to fill it. Problem solved.
In my opinion, the second option is both more secure, easier to
implement and more user friendly. But that's just my opinion.
Regards,
Simon.
--
WhiteWinterWolf
https://www.whitewinterwolf.com