05-02-2019 10:28 AM
05-02-2019 10:28 AM
See here for a bug that has been ignored by Google for 4.5 years:
The ability to save passwords for sites is a convenience that most everyone uses. Sites that have invalid SSL certs may be less reliable sites, or even nefarious ones. But even if they are, once you have sent these sites your password, there can be no real harm in saving that password in the browser store. The Google team has entirely failed to explain how their choice to block saving these passwords does anything meaningful for security.
A more robust solution might be considered, such as refusing to autofill a password field if the site previously had a good SSL cert but now does not. Such a situation could imply a MITM attack. This would represent an increase in security. But the current "solution" does not help. The user will continue to type in their password as many times as they are asked, because they have become accustomed to the site not saving their password. If they accidentally visit a different but similarly named site, they will type in their password without realizing the site has changed. So one could argue, this design actually decreases security. The requirement to keep retyping the password will also likely result in shorter, easier to type and remember passwords, also decreasing security.
The most import requirement here is the ability for a power user to choose what behavior to permit. Devices internal to LANs, non-publicly accessible sites, and development sites may all temporarily or permentantly have self-signed certs. In some cases there is no option to update the cert as the vendor chooses not to provide it (Avocent KVMs come to mind). In other cases with some effort certificate stores can be updated (VMWare). The user should have a choice to override or ignore the fact that a self-signed cert exists. It doesn't need to be easy or even intuitive, as long as it can be done by a power user who needs this behavior. Firefox is the gold standard here as it allows via several clicks for the user to make an exception for such a device.
The developer who made this choice may have been well-intentioned, but the implementation is not helpful to security or usability. Google states they have higher priorities, although reverting the ill-advised code would probably only take minutes. Doing it right would take longer, but is worthwhile.
Here's hoping Microsoft can take up the challenge to make Edge better than Chrome!
05-02-2019 03:36 PM
Great suggestions @adipose, I have forwarded this thread to our security experts. Thank you for taking the time to offer us your feedback. Please keep updating the builds and letting us know how you think we are doing.
07-03-2020 09:09 AM
@goodwill1120 same problem for intranet sites that are not using https. The browser used to ask to save those passwords. it no longer does. major inconvenience.