Forum Discussion

adipose's avatar
adipose
Brass Contributor
May 02, 2019

Ability to save passwords for sites with invalid SSL certs

See here for a bug that has been ignored by Google for 4.5 years:

 

https://bugs.chromium.org/p/chromium/issues/detail?id=431618

 

The ability to save passwords for sites is a convenience that most everyone uses.  Sites that have invalid SSL certs may be less reliable sites, or even nefarious ones.  But even if they are, once you have sent these sites your password, there can be no real harm in saving that password in the browser store.  The Google team has entirely failed to explain how their choice to block saving these passwords does anything meaningful for security.

 

A more robust solution might be considered, such as refusing to autofill a password field if the site previously had a good SSL cert but now does not.  Such a situation could imply a MITM attack.  This would represent an increase in security.  But the current "solution" does not help.  The user will continue to type in their password as many times as they are asked, because they have become accustomed to the site not saving their password.  If they accidentally visit a different but similarly named site, they will type in their password without realizing the site has changed.  So one could argue, this design actually decreases security.  The requirement to keep retyping the password will also likely result in shorter, easier to type and remember passwords, also decreasing security.

 

The most import requirement here is the ability for a power user to choose what behavior to permit.  Devices internal to LANs, non-publicly accessible sites, and development sites may all temporarily or permentantly have self-signed certs.  In some cases there is no option to update the cert as the vendor chooses not to provide it (Avocent KVMs come to mind).  In other cases with some effort certificate stores can be updated (VMWare).  The user should have a choice to override or ignore the fact that a self-signed cert exists.  It doesn't need to be easy or even intuitive, as long as it can be done by a power user who needs this behavior.  Firefox is the gold standard here as it allows via several clicks for the user to make an exception for such a device.

 

The developer who made this choice may have been well-intentioned, but the implementation is not helpful to security or usability.  Google states they have higher priorities, although reverting the ill-advised code would probably only take minutes.  Doing it right would take longer, but is worthwhile.

 

Here's hoping Microsoft can take up the challenge to make Edge better than Chrome!

    • henrik32259's avatar
      henrik32259
      Brass Contributor

      goodwill1120 same problem for intranet sites that are not using https. The browser used to ask to save those passwords. it no longer does. major inconvenience.

  • Great suggestions adipose, I have forwarded this thread to our security experts.  Thank you for taking the time to offer us your feedback.  Please keep updating the builds and letting us know how you think we are doing.

  • I am convinced there are bugs in the password protection and they need to be repaired.  It is getting serious when you enter the correct password it does not work causing the correct password from being accepted.

  • wr-pdx's avatar
    wr-pdx
    Copper Contributor

    I just ran across this after upgrading to the newest version of M$ edge, which apparently uses some sort of chromium open source code as its base. now sites with invalid ssl certs, because they were self-signed, are not allowed to remember username or password or save auto-login feature. this is a pain in the **bleep**, as I now have to use a different browser, or obtain valid certificates for everything I manage, which may be internal, and not exactly require a CA-signed cert. this needs to be fixed or more flexible. I even imported the self signed cert into the user and machine certificate stores under trusted CA certificates, and it doesn't change behavior. Major PIA! it would be well-intentioned if I made you recite a secret password before you could use a key in your house door, so your house could verify it was you who had the key, but I don't think you would like me for my well-intentioned security overtures!

    • Eric_Lawrence's avatar
      Eric_Lawrence
      Icon for Microsoft rankMicrosoft
      If the Self-Signed certificate is properly imported into the Trusted CA store, and if there are no other errors in the certificate (e.g. expired, name mismatch, etc), then the site will load without errors or security warnings in Edge, and the password manager will permit you to save the password for later use.
      • goodwill1120's avatar
        goodwill1120
        Copper Contributor

        Eric_Lawrence We are not asking for a workaround. Of coz I know make my cert valid is going to solve this. The problem is there are plenty of reasons why the cert is invalid and they can be perfectly intentional (or I should say not something I consider need to fix), so why block a feature when I know what I am really doing?

Resources