• Michael Catanzaro's avatar
    form-auth: Store passwords for security origins, not hosts · fae52498
    Michael Catanzaro authored
    This prevents an active MITM attacker from enumerating all your saved
    passwords. The attacker will now only be able to access passwords saved
    on http:// sites. That's by design, though; users are now warned when
    focusing insecure password forms and should think twice before saving
    such passwords.
    Unfortunately this does introduce a migration issue, in that no
    previously-saved passwords will be available on https:// websites
    anymore, and all previously-saved passwords will still be enumerable by
    attackers. I'm not sure how to handle migration. We might be able to
    handle it nicely by using the history service to guess whether a
    password should be migrated from http:// to https://, but that is not a
    simple project.