1. re: Secure Logins (fun with Greasemonkey)

    Chris posted about Secure Logins, last week. In it, he describes the confusion that exists when users cross from HTTP to HTTPS via forms.

    Chris isn't alone in noticing this problem. A few weeks ago, on the Security Now! podcast, Steve Gibson answered a user question about the same problem.

    On Chris' blog, I mentioned that this would be a good use for Greasemonkey. (If you don't know about Greasemonkey, you should definitely check it out.)

    Since then, I've had two flights, and took a little time to work out a solution to the problem.

    When hovering a form button, image or submit input, you'll see a description of the form's action, and various potential problems (onsubmit, onclick, etc).

    It doesn't solve all "hijacking" problems, but it's not supposed to.. it's just a quick indicator of where your form probably posts.

    Even if you're not interested, take a look at the source for a cool little embedded image trick.


    8 Responses

    Feed for this Entry
    • very nice!

      Doesn't always work, though, for example it doesn't pop up in gmail on the majority of the buttons. Probably has something to do with the fact that they're dynamically created - didn't have time to verify.

      Best regards

    • You're right; it doesn't work with most of the gmail buttons. I suspect your hypothesis about auto-generation is also correct, but I'm not sure. Feel free to send a patch (-;


    • Tom Mollerus

      2006 Jan 30 17:39

      Sean, thanks for the valuable and inspired script. I've modified mine so that it displays a greyed-out "unlocked" lock when the form isn't secure. To me, it seems better to positively indicate an insecure form with that graphic than to negatively indicate it with the absence of the lock.

      One thing I've noticed is that insecure forms embedded in pages that have been called via SSL are labelled as secure, probably because your code assigns the secure label if the document.location contains https. What was your reason for doing this?

    • [quote]insecure forms embedded in pages that have been called via SSL are labelled as secure[/quote]

      Do you have an example of this? I'm not sure what you mean.


    • Tom Mollerus

      2006 Jan 30 20:20

      Sure. Go to https://www.mystockoptions.com/ and mouseover the "Go" button of the search form in the upper left. Even though the form action is fully-qualified with http://, the script shows a lock icon because it reads the https in the document.location.href.

    • Nice catch. I tried to check for this, but I ended up with a logic error.

      The script has been updated; it should work fine now.

      Let me know if not.


    • i've used a Firefox-Plugin quite a while, which exactly does wht you propose:


    • Just found this script and I like it better than the Firefox plugin posted by M.

      There is a problem with the indicator appearing underneath the submit buttons on some pages (e.g. Search on Wikipedia), so I added a couple CSS fixes to the script.

      Just add a new style for each of the lockDivBG and lockDiv elements:

      I also added a focus and blur event listener, so you can just tab to the submit button and not have to hover over it with the mouse. Add these two lines under the other addEventListeners in the assign_events function:
      [code]xpath_results[n].addEventListener('blur', roll_out, true);
      xpath_results[n].addEventListener('focus', show_overlay, true);[/code]

      Hope someone finds this helpful. Thanks for the script, Sean!