You are here

Filling saved HTTP logins over HTTPS for the same domain

HTTPS passwordThanks to initiatives like Let's Encrypt (co-founded by Mozilla), adoption of HTTPS has been increasing making the web more secure. Firefox has adapted its Login Manager to make this transition smooth for users.

Firefox's Login Manager has been using strict origin matching when looking for saved logins for a website. Hence, when a login is saved on the HTTP version of a webpage, it is not available to the HTTPS version. We’ve changed this in Firefox 49, so that logins saved on the HTTP version of a page are also available to the upgraded and more secure HTTPS version.

Without this change, a website that transitioned to HTTPS for its login page would not have the existing saved HTTP logins readily available to Firefox users. The insecure and secure version of the site may appear the same to users and hence they expect the login to still be available. Websites also want their users to be able to continue to easily log in after transitioning to HTTPS, instead of experiencing a surge in account lockout support requests. Some websites have even delayed the switch to HTTPS because of this issue.

In order to continue to help users log in, starting in Firefox 49 saved HTTP logins will be available upon visiting the HTTPS version of a site. The saved HTTP login entry won't be modified when it's used on HTTPS. If a password is changed on the HTTPS version of the site, the saved login will be upgraded and only used on the HTTPS origin in the future. This is to prevent a new password created over HTTPS from leaking to HTTP. HTTPS logins will continue to only to be filled for the same origin (over HTTPS) and won't be downgraded (to HTTP) for security reasons. These changes should help ease the transition to HTTPS.

Cheers to a more secure web!

Add new comment