Prophe-T
commented
6 years ago Firefox already warns you when you enter credentials without https:
Also this project seems dead, maybe try keepasshttp-connector.
Open CommodoreCrunch opened 6 years ago
Prophe-T
commented
6 years ago Firefox already warns you when you enter credentials without https:
Also this project seems dead, maybe try keepasshttp-connector.
For the life of me I can't find another issue on this but forgive me if this is a duplicate.
I feel security would be greatly enhanced if there was an option, nothing mandatory but an option, to disable autofilling unless the protocol of the current site is HTTPS. PassIFox and chromeIPass don't seem to care whether the protocol of the URL matches what I have in KeePass, and should I get hit with a man-in-the-middle attack that redirects me to HTTP, there's nothing preventing the attack site from harvesting my password so long as the top-level domain matches. I wouldn't hit enter on the form if I noticed this happening, but it would kind of be too late. There are plenty of JS tricks to send that password off somewhere without my input, and I suspect as password managers become more common, this isn't farfetched.
The workaround I've been using thus far is having the HTTPS Everywhere extension, but that only works if the site is so common that the EFF recognizes it.