I once heard someone lament that as soon as a user does a web search and the browser asks “you’re submitting information that’s not encrypted, do you want us to warn you about this in the future?” the user invariably says, “no, I don’t care.”
And that’s unfortunately because it means that if the user happens upon a web site that doesn’t force them to use https, then that user might accidentally submit their username and password over an insecure connection and the web browser isn’t able to warn them about it.
My question is, why couldn’t browsers add this additional check: “Show a warning dialog when I submit passwords that are not encrypted?” It’s as simple as checking if the HTML form performing the HTTP POST contains an <input type=”password”/> input box. In fact, you could just modify the current check for submitting unencrypted information to only warn if there is a password field, because that check is pretty useless as-is.
Can anyone think of any reason NOT to do this? I’ll file a feature request in Firefox Bugzilla if people think it’s a good idea.