Security/Features/HighlightCleartextPasswords

From MozillaWiki
< Security‎ | Features
Revision as of 23:20, 5 April 2012 by Tanvi (talk | contribs) (Created page with "{{FeatureStatus |Feature name=Highlight Cleartext Passwords |Feature stage=Draft |Feature health=OK }} {{FeatureTeam |Feature product manager=Lucas Adamski |Feature lead engineer...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Status

Highlight Cleartext Passwords
Stage Draft
Status `
Release target `
Health OK
Status note `

{{#set:Feature name=Highlight Cleartext Passwords

|Feature stage=Draft |Feature status=` |Feature version=` |Feature health=OK |Feature status note=` }}

Team

Product manager Lucas Adamski
Directly Responsible Individual `
Lead engineer Tanvi Vyas
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members `

{{#set:Feature product manager=Lucas Adamski

|Feature feature manager=` |Feature lead engineer=Tanvi Vyas |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Highlight passwords and other sensitive data that is not transmitted over ssl. We will focus on type=password.

2. Users & use cases

  • A user is asked to login on an http page. The login form submits to an http destination. Users password is sent in cleartext.
  • A user is asked to login on an https page. The login form submits to an http destination. Users password is sent in cleartext.
  • A user is asked to login on an http page. The login form submits to an https destination. An attacker can mitm the first request to the login page and replace the form with one that submits the password to the attackers webpage instead.

3. Dependencies

`

4. Requirements

When type=password, outline the password box in red. Also add a note to the user that occurs onfocus so they know why the form is outlined in red (perhaps utilizing Constraint Validation)

Non-goals

This item is only for type=password. Other sensitive data is captured in this feature page: https://wiki.mozilla.org/Security/Features/Identify_which_bits_are_unencrypted

Stage 2: Design

5. Functional specification

`

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

` {{#set:Feature open issues and risks=` |Feature overview=Highlight passwords and other sensitive data that is not transmitted over ssl. We will focus on type=password. |Feature users and use cases=* A user is asked to login on an http page. The login form submits to an http destination. Users password is sent in cleartext.

  • A user is asked to login on an https page. The login form submits to an http destination. Users password is sent in cleartext.
  • A user is asked to login on an http page. The login form submits to an https destination. An attacker can mitm the first request to the login page and replace the form with one that submits the password to the attackers webpage instead.

|Feature dependencies=` |Feature requirements=When type=password, outline the password box in red. Also add a note to the user that occurs onfocus so they know why the form is outlined in red (perhaps utilizing Constraint Validation) |Feature non-goals=This item is only for type=password. Other sensitive data is captured in this feature page: https://wiki.mozilla.org/Security/Features/Identify_which_bits_are_unencrypted |Feature functional spec=` |Feature ux design=` |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=` |Feature landing criteria=` }}

Feature details

Priority P1
Rank 999
Theme / Goal `
Roadmap Security
Secondary roadmap `
Feature list `
Project `
Engineering team Security

{{#set:Feature priority=P1

|Feature rank=999 |Feature theme=` |Feature roadmap=Security |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=Security }}

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `

{{#set:Feature products status=`

|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}


Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Features/HighlightCleartextPasswords&oldid=417211"