group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1661805] Re: Saved passwords for HTTPS sites can be accessed by HTTP sites

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1661805@xxxxxxxxxxxxxxxxxx>
Date: Mon, 06 Feb 2017 22:41:03 -0000
Reply-to: Bug 1661805 <1661805@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Changed in: epiphany-browser (Ubuntu)
       Status: Fix Released => Incomplete

** Changed in: epiphany-browser (Ubuntu Xenial)
       Status: New => Incomplete

** Changed in: epiphany-browser (Ubuntu Yakkety)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1661805

Title:
  Saved passwords for HTTPS sites can be accessed by HTTP sites

Status in Epiphany Browser:
  Fix Released
Status in epiphany-browser package in Ubuntu:
  Incomplete
Status in epiphany-browser source package in Xenial:
  Incomplete
Status in epiphany-browser source package in Yakkety:
  Incomplete

Bug description:
  Impact
  ======
  Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://facebook.com/

  This is made worse because Javascript can be used to collect filled-in
  form data even if the user has not clicked Submit yet.

  This is made worse because Epiphany doesn't yet respect the HSTS
  headers which force sites that have opted in to be only available via
  HTTPS.

  Test Case
  =========

  Regression Potential
  ====================
  Low. The fix is to move all already saved passwords to be associated with https. Users will need to enter this password in again if the site is HTTP only. This is disruptive if the only place the user has saved the password is in Epiphany. Websites should allow password reset. However, both Firefox and Chrome as of January 2017 warn users before entering passwords for http sites. Epiphany 3.24 will add that warning in its March 2017 release.

  Other Info
  ==========
  Fixed upstream in 3.18.11 and 3.22.6:
  https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-18
  https://git.gnome.org/browse/epiphany/log/?h=gnome-3-18

  https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22
  https://git.gnome.org/browse/epiphany/log/?h=gnome-3-22

  https://mail.gnome.org/archives/distributor-
  list/2017-February/msg00000.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/epiphany-browser/+bug/1661805/+subscriptions

References

[Bug 1661805] [NEW] Saved passwords for HTTPS sites can be accessed by HTTP sites
From: Jeremy Bicha, 2017-02-04