Home

Ability to save passwords for sites with invalid SSL certs

%3CLINGO-SUB%20id%3D%22lingo-sub-517323%22%20slang%3D%22en-US%22%3EAbility%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-517323%22%20slang%3D%22en-US%22%3E%3CP%3ESee%20here%20for%20a%20bug%20that%20has%20been%20ignored%20by%20Google%20for%204.5%20years%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D431618%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D431618%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ability%20to%20save%20passwords%20for%20sites%20is%20a%20convenience%20that%20most%20everyone%20uses.%26nbsp%3B%20Sites%20that%20have%20invalid%20SSL%20certs%20may%20be%20less%20reliable%20sites%2C%20or%20even%20nefarious%20ones.%26nbsp%3B%20But%20even%20if%20they%20are%2C%20once%20you%20have%20sent%20these%20sites%20your%20password%2C%20there%20can%20be%20no%20real%20harm%20in%20saving%20that%20password%20in%20the%20browser%20store.%26nbsp%3B%20The%20Google%20team%20has%20entirely%20failed%20to%20explain%20how%20their%20choice%20to%20block%20saving%20these%20passwords%20does%20anything%20meaningful%20for%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20more%20robust%20solution%20might%20be%20considered%2C%20such%20as%20refusing%20to%20autofill%20a%20password%20field%20if%20the%20site%20previously%20had%20a%20good%20SSL%20cert%20but%20now%20does%20not.%26nbsp%3B%20Such%20a%20situation%20could%20imply%20a%20MITM%20attack.%26nbsp%3B%20This%20would%20represent%20an%20increase%20in%20security.%26nbsp%3B%20But%20the%20current%20%22solution%22%20does%20not%20help.%26nbsp%3B%20The%20user%20will%20continue%20to%20type%20in%20their%20password%20as%20many%20times%20as%20they%20are%20asked%2C%20because%20they%20have%20become%20accustomed%20to%20the%20site%20not%20saving%20their%20password.%26nbsp%3B%20If%20they%20accidentally%20visit%20a%20different%20but%20similarly%20named%20site%2C%20they%20will%20type%20in%20their%20password%20without%20realizing%20the%20site%20has%20changed.%26nbsp%3B%20So%20one%20could%20argue%2C%20this%20design%20actually%20decreases%20security.%26nbsp%3B%20The%20requirement%20to%20keep%20retyping%20the%20password%20will%20also%20likely%20result%20in%20shorter%2C%20easier%20to%20type%20and%20remember%20passwords%2C%20also%20decreasing%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20most%20import%20requirement%20here%20is%20the%20ability%20for%20a%20power%20user%20to%20choose%20what%20behavior%20to%20permit.%26nbsp%3B%20Devices%20internal%20to%20LANs%2C%20non-publicly%20accessible%20sites%2C%20and%20development%20sites%20may%20all%20temporarily%20or%20permentantly%20have%20self-signed%20certs.%26nbsp%3B%20In%20some%20cases%20there%20is%20no%20option%20to%20update%20the%20cert%20as%20the%20vendor%20chooses%20not%20to%20provide%20it%20(Avocent%20KVMs%20come%20to%20mind).%26nbsp%3B%20In%20other%20cases%20with%20some%20effort%20certificate%20stores%20can%20be%20updated%20(VMWare).%26nbsp%3B%20The%20user%20should%20have%20a%20choice%20to%20override%20or%20ignore%20the%20fact%20that%20a%20self-signed%20cert%20exists.%26nbsp%3B%20It%20doesn't%20need%20to%20be%20easy%20or%20even%20intuitive%2C%20as%20long%20as%20it%20can%20be%20done%20by%20a%20power%20user%20who%20needs%20this%20behavior.%26nbsp%3B%20Firefox%20is%20the%20gold%20standard%20here%20as%20it%20allows%20via%20several%20clicks%20for%20the%20user%20to%20make%20an%20exception%20for%20such%20a%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20developer%20who%20made%20this%20choice%20may%20have%20been%20well-intentioned%2C%20but%20the%20implementation%20is%20not%20helpful%20to%20security%20or%20usability.%26nbsp%3B%20Google%20states%20they%20have%20higher%20priorities%2C%20although%20reverting%20the%20ill-advised%20code%20would%20probably%20only%20take%20minutes.%26nbsp%3B%20Doing%20it%20right%20would%20take%20longer%2C%20but%20is%20worthwhile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20hoping%20Microsoft%20can%20take%20up%20the%20challenge%20to%20make%20Edge%20better%20than%20Chrome!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-520993%22%20slang%3D%22en-US%22%3ERe%3A%20Ability%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-520993%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20suggestions%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332248%22%20target%3D%22_blank%22%3E%40adipose%3C%2FA%3E%2C%20I%20have%20forwarded%20this%20thread%20to%20our%20security%20experts.%26nbsp%3B%20Thank%20you%20for%20taking%20the%20time%20to%20offer%20us%20your%20feedback.%26nbsp%3B%20Please%20keep%20updating%20the%20builds%20and%20letting%20us%20know%20how%20you%20think%20we%20are%20doing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-986446%22%20slang%3D%22en-US%22%3ERe%3A%20Ability%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-986446%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332248%22%20target%3D%22_blank%22%3E%40adipose%3C%2FA%3E%26nbsp%3BYes%20agree%20with%20your%20suggestion%2C%20MS%20please%20fix%20it%3C%2FP%3E%3C%2FLINGO-BODY%3E
adipose
Occasional Visitor

See here for a bug that has been ignored by Google for 4.5 years:

 

https://bugs.chromium.org/p/chromium/issues/detail?id=431618

 

The ability to save passwords for sites is a convenience that most everyone uses.  Sites that have invalid SSL certs may be less reliable sites, or even nefarious ones.  But even if they are, once you have sent these sites your password, there can be no real harm in saving that password in the browser store.  The Google team has entirely failed to explain how their choice to block saving these passwords does anything meaningful for security.

 

A more robust solution might be considered, such as refusing to autofill a password field if the site previously had a good SSL cert but now does not.  Such a situation could imply a MITM attack.  This would represent an increase in security.  But the current "solution" does not help.  The user will continue to type in their password as many times as they are asked, because they have become accustomed to the site not saving their password.  If they accidentally visit a different but similarly named site, they will type in their password without realizing the site has changed.  So one could argue, this design actually decreases security.  The requirement to keep retyping the password will also likely result in shorter, easier to type and remember passwords, also decreasing security.

 

The most import requirement here is the ability for a power user to choose what behavior to permit.  Devices internal to LANs, non-publicly accessible sites, and development sites may all temporarily or permentantly have self-signed certs.  In some cases there is no option to update the cert as the vendor chooses not to provide it (Avocent KVMs come to mind).  In other cases with some effort certificate stores can be updated (VMWare).  The user should have a choice to override or ignore the fact that a self-signed cert exists.  It doesn't need to be easy or even intuitive, as long as it can be done by a power user who needs this behavior.  Firefox is the gold standard here as it allows via several clicks for the user to make an exception for such a device.

 

The developer who made this choice may have been well-intentioned, but the implementation is not helpful to security or usability.  Google states they have higher priorities, although reverting the ill-advised code would probably only take minutes.  Doing it right would take longer, but is worthwhile.

 

Here's hoping Microsoft can take up the challenge to make Edge better than Chrome!

2 Replies
Highlighted

Great suggestions @adipose, I have forwarded this thread to our security experts.  Thank you for taking the time to offer us your feedback.  Please keep updating the builds and letting us know how you think we are doing.

@adipose Yes agree with your suggestion, MS please fix it

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies