Shady websites using fake password-circles font to avoid securing login forms


#1

Originally published at: https://boingboing.net/2017/11/03/shady-websites-using-fake-pass.html


#2

If my Raspberry Pi website can have a certificate and use HTTPS, then there’s no excuse for any site not to. The effort to set that up and keep it going is surely less than fiddling with these fake password fields. (My effort would approach zero if it was something that I looked at more than twice a year.)


#3

Soon all non-encrypted http connections will be automatically blacklisted by browsers. I wonder if I can do that now? Surely there must be a way to configure that or perhaps with a plugin.


#4

Fraud: Inducing someone to give you a thing of value because they reasonably relied on your knowingly-false statement.


#5

This has the fun side-effect that someone distracting you enough to walk away after you entered your password but before you pressed enter will now be able to copy-paste that sucker into any other text editor and see the password right? Where with regular password fields this is impossible afaik.


#6

Here’s one for Firefox:
https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/


#7

Amazingly clever-stupid maneuver. Never underestimate the craftiness of morons.


#8

Nice. FF is my main desktop browser and I already use NoScript and Ublock to fuck up the websites I visit so I may as well try this too.

Edit:I just discovered HTTPS Everywhere has an option to block non-encrypted requests. Neat.


#9

Which, I’m sure, happens all the time.

You forgot to say, “I’m concerned.”


#10

Regular password fields don’t really protect the password value very much except visually from prying eyes, same as this font does. You can still get at the value in a regular password field by using the .value attribute of the password field in javascript.

Regular password fields and this workaround essentially work exact same way, EXCEPT for two key differences:

  1. browsers recently added a warning check if a password field is submitted over a non-encrypted http connection instead of an encrypted https connection. This workaround bypasses that warning being triggered.
  2. the values entered in this field are stored in regular form auto-complete instead of the password credentials secured one.

#1 is why it is being used. developers want to bypass the warning until they can rewrite the code to use a secure connection.

If you want to see firsthand that regular password fields are wide open you can create a bookmark with the following code for the location, and use this bookmark to reveal any regular password field in your browser, works with all browsers:

Basically this is more a dying gasp of a certain bad programming practice than an internet breaker. The people using this workaround are doing so because they already were sending password insecurly, and suddenly their users were getting warnings.

Passwords should only be sent and stored securely, and the entire idea of passwords really needs some freshening because modern web security on a whole is a pretty shaky house of cards.


#11

I know I can’t just copy paste a password now, I don’t really know what scenario this protects against, I’m guessing mostly auto filled, remembered passwords, but I assume someone made this so with a reason.

I know I can wriggle my way around this limitation, but this requires more time and more knowledge then just copy-paste-ing, not a lot more, just a little.


#12

Like when a politician induces people to vote for them, then fails to follow through on their campaign promises?


#13

Is there such a thing as a font-blocker?


#14

You can set the browser to use only the dints you specify, but then all sites you go to will use those same fonts, for whatever problems that might cause.


#15

So … no, then.

Man, browsers suck.


#16

uBlock origin by default blocks remote fonts, so that only “web safe” fonts can be used. I sincerely doubt this font is one of them


#17

This was either a case of a manager forcing a developer to do what they knew was wrong, or a developer thinking they’re being helpful when they’re just incompetent with security.

Developers need to be ethical and competent.


#18

Apparently not for Safari, then?


#19

Let’s encrypt. No really, https://letsencrypt.org/


#20

A Chrome extension (and Firefox etc) can override font declarations and most any other style declarations. There are examples made for folks who prefer everything in the same font, or more importantly, for folks who prefer some typefaces on account of visual impairment.

The next question is if you can override just the malicious fonts, which is a harder question to answer since loading one-off font files with no established reputation is a pretty routine way to deliver fonts.