Can we fix "insecure form" completion warning?

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Can we fix "insecure form" completion warning?

Postby simonwaters373 » Fri Jun 16, 2017 11:51 am

I appreciate this is a difficult one, but I think the idea of a warning like this is a good one.

However the current warning has too many false positives, so people will get alert fatigue and ignore it when it is correct.

It would be more useful to reduce the false positive rate and only report when the plugin is confident something bad is happening.

In particular:

Before completing a password into a page served over HTTP.

Submission of form with password field where the action is clearly over an unencrypted channel (Mailto:, http:// etc).

It seems to trigger when some combination of "method" or "action" are omitted, and some JavaScript is going to complete the submission for you.

My example would be:

The password submission form tag is "<form>", and triggers a warning.

Whilst there is plenty wrong with the BitDefender's web server configuration, the username and password are encrypted and go out via XHR over HTTPS with some inhouse encryption applied on top of the regular HTTPS, so nothing in practice that justifies the warning.

Stop the false positives....
Posts: 12
Joined: Wed Mar 19, 2014 6:07 am

Re: Can we fix "insecure form" completion warning?

Postby jpenny84 » Fri Jun 16, 2017 12:13 pm

That feature is prone to false positives which is why it's disabled by default. If the site can be trusted, the warning can be ignored. See FAQ:
Posts: 9071
Joined: Tue Mar 06, 2012 9:10 pm

Re: Can we fix "insecure form" completion warning?

Postby simonwaters373 » Fri Jun 16, 2017 12:27 pm

Yes I know it can be disabled, and ignored, but then I don't get warned for an insecure form, or I ignore the warning.

I would rather they look at the code and improve it. There are common cases which can be detected with high degree of confidence, and I would rather they went over those.

Where a page is loaded over HTTPS and has no attributes on the login form tag, you can be fairly confident it is safe, or the browser will issue a warning.

Contrastingly LastPass happily completes the username and password on a form which is served over HTTP only without warning.

So it is not even really false positives, the code is basically broken.
Posts: 12
Joined: Wed Mar 19, 2014 6:07 am

Re: Can we fix "insecure form" completion warning?

Postby David206 » Fri Oct 11, 2019 7:49 am

As I already posted on similar complaints:

Using the GET method causes the "insecure page" warning. But this is a misunderstanding: when a site is protected by TLS and a valid certificate, GET is just as secure as POST, especially if the GET URL itself contains no insecure information, which is usually the case with secure sites.

For this reason, the logic behind the "insecure page" warning should be changed. It should simply detect whether the site is being addressed via HTTP or HTTPS. That is all that is needed, and there won't be any "false positives" or negatives.

A secure site should not generate an "insecure page" warning. In short, it's a bug, and LastPass should fix it.

Until it is fixed, I have disabled the "Warn before filling insecure forms" option in my browser extension at popup menu > Account Options > Extension Preferences > Advanced and I recommend that others do the same. Before you submit any form, check in your browser's address bar and make sure it contains a "lock" icon, indicating a secure connection.

David Spector
Springtime Software
Posts: 26
Joined: Tue Apr 09, 2013 11:27 am

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 21 guests