On Wed, Apr 11, 2012 at 10:54 AM, Jesse Ruderman <jruder...@gmail.com> wrote: > A wifi MITM attacker can steal all the passwords you have saved on > http sites, by sending you to fake versions of each site and watching > what the browser fills into the form.
Last I had the misfortune to be able to check, Firefox was happy to perform autofill on a non-EV-https site using passwords remembered when the site used EV-https. Thus, EV doesn't protect against advanced advanced MITM that can fake non-EV certs. (Dunno how important this concern is. That is, I don't know how realistic it is for a MITM to gain the capability to fake non-EV certificates but not to gain the capability to fake EV certificates.) > 6) When connected to an untrusted wireless network, don't fill in passwords. Would the user have to mark certain wireless networks as trusted? After all, an encrypted wireless network could be operated by an untrusted party such as a hotel. It would be great if Firefox detected captain portals, though. It's super-annoying to lose session state because restored tabs start loading before you've logged in to a captive portal. -- Henri Sivonen hsivo...@iki.fi http://hsivonen.iki.fi/ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
