Wish: Warn about non-secure signup & login (i.e., not HTTPS)

Ward
Ward
Community Member
I just discovered that an until-now trusted website does not use secure (HTTPS) pages for signup and login. In the early days of the secure Web, I was diligent about checking for HTTPS URLs. But my security radar has fallen into disrepair because secure pages have become standard operating procedure.

I'm writing to ask 1Password to help me be more aware of website security, e.g., warn me when I'm about to enter a username & password into an HTTP page.

I did a quick check of the 400+ Login entries in my 1Password database -- approximately half of them have HTTP URLs. For example, the insecure half includes my login to the Agile forums.

The importance of secure signup & login depends on the site. It's essential for my credit union, hosting service & Gmail and less important for other sites. So there'd need to be way to disable security warnings for specific sites, either at initial signup or when using 1Password to login.

Update:

After adding this topic, I received assurance from my trusted site that their login IS secure -- the login form on their HTTP page does a post to a secure HTTPS URL.

This means it would be extremely helpful if 1Password could be "looking under the covers" during signup and login.

-- Ward

Comments

  • flambino
    flambino
    Community Member
    edited April 2011
    brenty wrote:

    So to address your wish directly, I have to say that at Agile we try to focus our efforts on 1Password's core functionality -- all the stuff that's really great and unique about 1Password -- and leave the rest to other folks, to do what they do best. So while we won't rule it out completely, this really isn't something that's likely to happen in the near future.


    Just an idea: Perhaps 1Password could just show an icon for logins with HTTPS URIs, much like the little padlock icon browsers use already. Or perhaps it'd be better to show a little warning icon for logins that are not HTTPS?
    It's not as comprehensive as Ward's suggestion (which I wholeheartedly second, by the way!) of proactively checking forms and warning; it'd just be a passive reminder to the user. But that's helpful too and - I suspect - it'd be simple to implement.

    I suggested elsewhere that an overall "audit" feature in 1Password would be awesome (i.e. something that looks for iffy logins where passwords or username/password combos have been reused and such), and the addition of checking for HTTPS would be cool in that context too. Along with password-reuse and general password entropy checks, you'd get a pretty quick overview of you "exposure". But that's a wider-ranging thing. Much of the functionality can be duplicated using Smart Folders of course, but having it built in would raise awareness (and it'd just be easier). Plus, even the vigilant users might forget to check for some issues; like Ward, I too had forgotten to check for HTTPS on some of my logins.
  • flambino
    flambino
    Community Member
    brenty wrote:

    Something to consider, though: Websites change all the time and can pretty much do whatever they want regardless of the URL you request. [...] So 1Password telling you that a particular Login is secure means nothing, essentially, when the site can just redirect you to an insecure page. <_<


    True. Hadn't considered that. In some ways it's probably better to not have an icon at all then. False sense of security is (almost) worse than bad security.
    Or rather, the half-way solution of just checking the URL isn't good enough - you'd have to do what Ward suggested and check both login page and the URL the forms posts too. Go big or don't go at all :)

    brenty wrote:

    you beat me to the punch there...and then made a brilliant point


    Yeah... I do that a lot B)

    brenty wrote:

    Awareness is huge for casual users, and, as you point out, power users could use a kick in the pants too from time to time. Thank you for raising this issue, and, by extension, raising my awareness that awareness itself is a noble pursuit! :)


    You're quite welcome :)
    Things like icons or other callouts can do a lot, even if you don't understand their meaning at first. Just the fact that some items in a collection get called out while others don't sets the mind working on why that is, what it could mean, and so forth. And, in the context of security, whether the callout is a good or bad thing. Games are actually really good doing this sort of "teaching", since the player needs to be taught what to do and what's going on, but the game can't directly give it away either. Obviously, something that isn't a game can just explain what's going on, but it can be become a crutch too. The documentation should still explain it of course, but few people want to be explicitly taught and told what's good for them. Saying RTFM doens't really work :)

    For myself, I created tons of smart folders in 1Password for things like reused passwords, non-HTTPS logins and of course different levels of password strength. My "game" then became to get all the "bad" folders down to zero items. (I could do the same with the default "Unfiled" folder, but I use tags and Smart Folders for almost everything and bypass the normal folder system). Had 1Password come with a built-in Smart Folder or similar that listed all the "bad" logins you have, I suspect many people would make it their "game" to understand what the selection criteria for the folder are and how to get it emptied. That'd raise awareness and teach people without trying to sit them down and explain things. Especially if the folder's name and/or icon clearly communicated that "here be bad stuff" :)

    As you say, it may seem frivolous or even "cheap", but when done right it can mean a lot. And it'll always be more subtle and less frivolous than saying RTFM :)
  • khad
    khad
    1Password Alumni
    edited April 2011
    1Password telling you that a particular Login is secure means nothing, essentially, when the site can just redirect you to an insecure page.

    I think this is the primary reason it would not be advantageous to add this feature, but there may be another way to do it. I like the way you describe it as a game, flambino. :-)

    The trick would be determining what constituted a "bad" or somehow "less secure" login. http vs https is out, and password strength can often not be changed for some logins. For example, I have some passwords saved for logins which are shared with other people. It is not up to me to change them. I have the technical authority but not sociopolitical. Those ones would drive me crazy in that theoretical Smart Folder. :lol:
  • flambino
    flambino
    Community Member
    edited April 2011
    khad wrote:

    The trick would be determining what constituted a "bad" or somehow "less secure" login. http vs https is out, and password strength can often not be changed for some logins. For example, I have some passwords saved for logins which are shared with other people. It is not up to me to change them. I have the technical authority but not sociopolitical. Those ones would drive me crazy in that theoretical Smart Folder. :lol:


    Yeah, that'd drive me crazy too, now that you mention it. I hate lacking sociopolitical authority! <_<

    I have some shared logins as well, so they're still in the folders I'd like to be empty. Since I've set the criteria for the folder myself, I understand why they're there, and I can tweak the criteria to remove them. It'd likely be much more annoying if I hadn't created the folder myself, and couldn't empty it either.

    I suppose the folder could be shown/hidden via a preference item, but that's not very elegant. Alternatively, there could be a "yes, I'm aware this login isn't the greatest, but stop bugging me!" flag to let you get stuff out of the folder without really changing anything. That's not very neat either, but it's not too far removed from the "save master password in keychain" warning you already get on OS X. Yes, you can do that, but understand the consequences, etc.
    Or there could simply be a way to exclude items tagged with xyz from the folder.

    Perhaps it's better for it to be a separate function you could run on demand, and which would list the "issues" it finds. Smart folders would of course update automagically and all that, but you'd also always have them there, annoying you with their item counts. Meanwhile the "find issues" function (which should be called something better) would only show you something when you ask for it, but just having it there would still raise awareness and hopefully encourage usage. Even if you have your own little "game" already.
  • khad
    khad
    1Password Alumni
    Perhaps it's better for it to be a separate function you could run on demand, and which would list the "issues" it finds.

    I like that idea. A sort of "Password Audit Assistant" or something. I think that would be a good balance between being "in your face" and too hands-off. That is to say, my mom and dad could run the assistant, but they would not be staring at some Smart Folders so much that they end up just ignoring them anyway. ;-)

    I like that game much better.

    In the meantime, since the feature does not yet exist in 1Password, we power users will continue to handcraft our Smart Folders and educate our moms and dads. :-D
  • flambino
    flambino
    Community Member
    khad wrote:

    That is to say, my mom and dad could run the assistant, but they would not be staring at some Smart Folders so much that they end up just ignoring them anyway. ;-)


    Very true. I'm already ignoring the "Unfiled" folder.
    It's probably pretty crucial that you've created the folder system (or run the theoretical function) yourself. Otherwise you're just not that invested in it.

    khad wrote:

    In the meantime, since the feature does not yet exist in 1Password, we power users will continue to handcraft our Smart Folders and educate our moms and dads. :-D


    Doin' my best already ;)
  • khad
    khad
    1Password Alumni
    edited April 2011
    Very true. I'm already ignoring the "Unfiled" folder.

    The "Unfiled" Smart Folder has actually been removed in the beta channel and folder search criteria has been added in order to allow folks to recreate the folder — or, better yet, a personalized variation of it — for some of the exact reasons outlined above. :-)
  • I've created a new login in 1Password for a website, specifically a Wordpress site. I normally only login to the administration console using https so I created the login using the URL of https://blog.foo.com. This is the only login for the site recorded in 1Password.

    I found that when I navigate to the site using http I am still allowed through the "Fill & Submit" feature for Safari to fill in my username and password even though it's not over https. Is there a way to control this through 1Password? I did a few searches but wasn't able to find anything regarding this.

    What I'd like is for 1Password "Fill & Submit" to not show a possible match to the http URL of the site since I created the login entry specifically using https.

    Thanks for any help or pointers.

    Josh
  • khad
    khad
    1Password Alumni
    Hey Josh,

    Thanks for your interest in this. I have merged your post with the appropriate thread. :-)

    Is there a reason you would not always use a secure connection?

    Please do read through the thread above and let me know if you have any additional questions or concerns.

    We are always here to help!
  • joutwate
    edited May 2011
    khad wrote:

    Hey Josh,

    Thanks for your interest in this. I have merged your post with the appropriate thread. :-)

    Is there a reason you would not always use a secure connection?

    Please do read through the thread above and let me know if you have any additional questions or concerns.

    We are always here to help!


    Thanks for merging my question to this thread. Though I read the thread fully I may be missing a few things so apologies if I'm being repetitive.

    There's definitely no reason for me to not use a secure connection all the time. However many sites are hosted using both http and https. Hence the reason I created the 1Password login entry with https specifically. I was hoping that if I accidentally connected to the site using http instead of https that 1Password would not show the "Fill & Submit" for that login since the protocol does not match the one I created the login for.

    Normally I connect to sites using "Go & Fill" however sometimes I don't. If I use "Go & Fill" I know I will always go to the specific site, including protocol, that I want to get to. Unfortunately I don't always use that particular method since it pops open a new window when I have a perfectly good one in front of me that's already at the site I want to log into.

    I guess ultimately what I am hoping for is that since I specifically created a login in 1Password using https it would recognize that I am trying to be more secure and not match those credentials to non-https sites when presenting options for "Fill & Submit". I do however recognize this would add a lot of confusion to general users who may not understand this difference. What about a checkbox option in the login that I create for 1Password that says "Restrict to specific protocol" or "Restrict to https"? This would put the burden on me and other users rather than making a generic or blanket change that would affect everyone. I understand that behind the scenes the site I'm connecting to can throw around my credentials as much as it likes using secure or insecure means but that's simply something out of my or your control. I'm not asking for 1Password to read into the sites or validate them as secure. I only want to make sure that the URL I connect to is the one that I expected to connect to.

    EIther way, it sounds like I have a workaround to my problem by using HTTPS Everywhere or No Script to keep me on the straight and narrow. If my suggestion above makes any sense, cool. If not then, Doh!

    I appreciate the help and the pointers.
  • khad
    khad
    1Password Alumni
    Thanks for the clarification. I should also clarify that I have passed this along to the developers for consideration in a future version.

    It is a bit tricky for 1Password to monitor the security of your connection, since, as Ward mentions in his update to the original post, some sites are using a mix of secure and insecure elements. This is perhaps best analyzed on the level of the browser which has greater access and control over this sort of information. It would be easy for 1Password to simply look for https in the URL, but that wouldn't be proof that the form on the page was using a secure connection when you submit it. We tend to avoid features which only appear secure on the surface but are nothing more than "security theater."

    I think the browser is much better positioned to give you the sort of feedback and guidance you are requesting in this particular case, but we never say "never." :-)

    Cheers,
This discussion has been closed.