Ability to save passwords for sites with invalid SSL certs

%3CLINGO-SUB%20id%3D%22lingo-sub-517323%22%20slang%3D%22en-US%22%3EAbility%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-517323%22%20slang%3D%22en-US%22%3E%3CP%3ESee%20here%20for%20a%20bug%20that%20has%20been%20ignored%20by%20Google%20for%204.5%20years%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D431618%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fbugs.chromium.org%2Fp%2Fchromium%2Fissues%2Fdetail%3Fid%3D431618%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ability%20to%20save%20passwords%20for%20sites%20is%20a%20convenience%20that%20most%20everyone%20uses.%26nbsp%3B%20Sites%20that%20have%20invalid%20SSL%20certs%20may%20be%20less%20reliable%20sites%2C%20or%20even%20nefarious%20ones.%26nbsp%3B%20But%20even%20if%20they%20are%2C%20once%20you%20have%20sent%20these%20sites%20your%20password%2C%20there%20can%20be%20no%20real%20harm%20in%20saving%20that%20password%20in%20the%20browser%20store.%26nbsp%3B%20The%20Google%20team%20has%20entirely%20failed%20to%20explain%20how%20their%20choice%20to%20block%20saving%20these%20passwords%20does%20anything%20meaningful%20for%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20more%20robust%20solution%20might%20be%20considered%2C%20such%20as%20refusing%20to%20autofill%20a%20password%20field%20if%20the%20site%20previously%20had%20a%20good%20SSL%20cert%20but%20now%20does%20not.%26nbsp%3B%20Such%20a%20situation%20could%20imply%20a%20MITM%20attack.%26nbsp%3B%20This%20would%20represent%20an%20increase%20in%20security.%26nbsp%3B%20But%20the%20current%20%22solution%22%20does%20not%20help.%26nbsp%3B%20The%20user%20will%20continue%20to%20type%20in%20their%20password%20as%20many%20times%20as%20they%20are%20asked%2C%20because%20they%20have%20become%20accustomed%20to%20the%20site%20not%20saving%20their%20password.%26nbsp%3B%20If%20they%20accidentally%20visit%20a%20different%20but%20similarly%20named%20site%2C%20they%20will%20type%20in%20their%20password%20without%20realizing%20the%20site%20has%20changed.%26nbsp%3B%20So%20one%20could%20argue%2C%20this%20design%20actually%20decreases%20security.%26nbsp%3B%20The%20requirement%20to%20keep%20retyping%20the%20password%20will%20also%20likely%20result%20in%20shorter%2C%20easier%20to%20type%20and%20remember%20passwords%2C%20also%20decreasing%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20most%20import%20requirement%20here%20is%20the%20ability%20for%20a%20power%20user%20to%20choose%20what%20behavior%20to%20permit.%26nbsp%3B%20Devices%20internal%20to%20LANs%2C%20non-publicly%20accessible%20sites%2C%20and%20development%20sites%20may%20all%20temporarily%20or%20permentantly%20have%20self-signed%20certs.%26nbsp%3B%20In%20some%20cases%20there%20is%20no%20option%20to%20update%20the%20cert%20as%20the%20vendor%20chooses%20not%20to%20provide%20it%20(Avocent%20KVMs%20come%20to%20mind).%26nbsp%3B%20In%20other%20cases%20with%20some%20effort%20certificate%20stores%20can%20be%20updated%20(VMWare).%26nbsp%3B%20The%20user%20should%20have%20a%20choice%20to%20override%20or%20ignore%20the%20fact%20that%20a%20self-signed%20cert%20exists.%26nbsp%3B%20It%20doesn't%20need%20to%20be%20easy%20or%20even%20intuitive%2C%20as%20long%20as%20it%20can%20be%20done%20by%20a%20power%20user%20who%20needs%20this%20behavior.%26nbsp%3B%20Firefox%20is%20the%20gold%20standard%20here%20as%20it%20allows%20via%20several%20clicks%20for%20the%20user%20to%20make%20an%20exception%20for%20such%20a%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20developer%20who%20made%20this%20choice%20may%20have%20been%20well-intentioned%2C%20but%20the%20implementation%20is%20not%20helpful%20to%20security%20or%20usability.%26nbsp%3B%20Google%20states%20they%20have%20higher%20priorities%2C%20although%20reverting%20the%20ill-advised%20code%20would%20probably%20only%20take%20minutes.%26nbsp%3B%20Doing%20it%20right%20would%20take%20longer%2C%20but%20is%20worthwhile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20hoping%20Microsoft%20can%20take%20up%20the%20challenge%20to%20make%20Edge%20better%20than%20Chrome!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-520993%22%20slang%3D%22en-US%22%3ERe%3A%20Ability%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-520993%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20suggestions%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332248%22%20target%3D%22_blank%22%3E%40adipose%3C%2FA%3E%2C%20I%20have%20forwarded%20this%20thread%20to%20our%20security%20experts.%26nbsp%3B%20Thank%20you%20for%20taking%20the%20time%20to%20offer%20us%20your%20feedback.%26nbsp%3B%20Please%20keep%20updating%20the%20builds%20and%20letting%20us%20know%20how%20you%20think%20we%20are%20doing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-986446%22%20slang%3D%22en-US%22%3ERe%3A%20Ability%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-986446%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F332248%22%20target%3D%22_blank%22%3E%40adipose%3C%2FA%3E%26nbsp%3BYes%20agree%20with%20your%20suggestion%2C%20MS%20please%20fix%20it%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1504030%22%20slang%3D%22en-US%22%3ERe%3A%20Ability%20to%20save%20passwords%20for%20sites%20with%20invalid%20SSL%20certs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1504030%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447022%22%20target%3D%22_blank%22%3E%40goodwill1120%3C%2FA%3E%26nbsp%3Bsame%20problem%20for%20intranet%20sites%20that%20are%20not%20using%20https.%20The%20browser%20used%20to%20ask%20to%20save%20those%20passwords.%20it%20no%20longer%20does.%20major%20inconvenience.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

See here for a bug that has been ignored by Google for 4.5 years:

 

https://bugs.chromium.org/p/chromium/issues/detail?id=431618

 

The ability to save passwords for sites is a convenience that most everyone uses.  Sites that have invalid SSL certs may be less reliable sites, or even nefarious ones.  But even if they are, once you have sent these sites your password, there can be no real harm in saving that password in the browser store.  The Google team has entirely failed to explain how their choice to block saving these passwords does anything meaningful for security.

 

A more robust solution might be considered, such as refusing to autofill a password field if the site previously had a good SSL cert but now does not.  Such a situation could imply a MITM attack.  This would represent an increase in security.  But the current "solution" does not help.  The user will continue to type in their password as many times as they are asked, because they have become accustomed to the site not saving their password.  If they accidentally visit a different but similarly named site, they will type in their password without realizing the site has changed.  So one could argue, this design actually decreases security.  The requirement to keep retyping the password will also likely result in shorter, easier to type and remember passwords, also decreasing security.

 

The most import requirement here is the ability for a power user to choose what behavior to permit.  Devices internal to LANs, non-publicly accessible sites, and development sites may all temporarily or permentantly have self-signed certs.  In some cases there is no option to update the cert as the vendor chooses not to provide it (Avocent KVMs come to mind).  In other cases with some effort certificate stores can be updated (VMWare).  The user should have a choice to override or ignore the fact that a self-signed cert exists.  It doesn't need to be easy or even intuitive, as long as it can be done by a power user who needs this behavior.  Firefox is the gold standard here as it allows via several clicks for the user to make an exception for such a device.

 

The developer who made this choice may have been well-intentioned, but the implementation is not helpful to security or usability.  Google states they have higher priorities, although reverting the ill-advised code would probably only take minutes.  Doing it right would take longer, but is worthwhile.

 

Here's hoping Microsoft can take up the challenge to make Edge better than Chrome!

9 Replies

Great suggestions @adipose, I have forwarded this thread to our security experts.  Thank you for taking the time to offer us your feedback.  Please keep updating the builds and letting us know how you think we are doing.

@adipose Yes agree with your suggestion, MS please fix it

@goodwill1120 same problem for intranet sites that are not using https. The browser used to ask to save those passwords. it no longer does. major inconvenience.

I am convinced there are bugs in the password protection and they need to be repaired.  It is getting serious when you enter the correct password it does not work causing the correct password from being accepted.

I just ran across this after upgrading to the newest version of M$ edge, which apparently uses some sort of chromium open source code as its base. now sites with invalid ssl certs, because they were self-signed, are not allowed to remember username or password or save auto-login feature. this is a pain in the **bleep**, as I now have to use a different browser, or obtain valid certificates for everything I manage, which may be internal, and not exactly require a CA-signed cert. this needs to be fixed or more flexible. I even imported the self signed cert into the user and machine certificate stores under trusted CA certificates, and it doesn't change behavior. Major PIA! it would be well-intentioned if I made you recite a secret password before you could use a key in your house door, so your house could verify it was you who had the key, but I don't think you would like me for my well-intentioned security overtures!

If the Self-Signed certificate is properly imported into the Trusted CA store, and if there are no other errors in the certificate (e.g. expired, name mismatch, etc), then the site will load without errors or security warnings in Edge, and the password manager will permit you to save the password for later use.

@ericlaw   thx Eric! I confirmed this works now, per your advice! I had a typo in the name of the cert and reissued it as a self-signed cert (non-CA cert). Next I imported into the local user | Trusted Root Certification Authorities under windows 10. And it works as expected, prompting to save passwords! Many thx, this will save me quite a bit of frustration. I dont think the guys over here know this:

 

431618 - Google Chrome does not offer to save password for https with unverified ID - chromium

 

I may make a post over there. but thx again. This is great! 

@ericlaw We are not asking for a workaround. Of coz I know make my cert valid is going to solve this. The problem is there are plenty of reasons why the cert is invalid and they can be perfectly intentional (or I should say not something I consider need to fix), so why block a feature when I know what I am really doing?

@goodwill1120: As noted immediately above, not everyone recognized that a workaround is available, and some are delighted to have one.

The problem isn't the scenario where you have decided not to fix the security threat; the problem is the scenario where the user is actively under attack and does not recognize the implications of, say, clicking through a certificate error "just to see". You can follow the conversation in https://crbug.com/431618.