2

My password manager is giving me a warning when I go to certain sites. They say if I think I can trust the site to go ahead and use it .... this leaves me concerned I'll miss something.

The pop-up warning I get when I go the sign-in page on the site: "WEBSITE says 'LastPass detected a login form that is insecure. Would you like to continue?"

Here's the documentation.

My problem is I have no idea whether or not I should continue.

Questions:

  1. How can I determine if a site is INSECURE because it is using GET or mailto: methods?

  2. How can I determine if a site is SECURE if it is NOT using GET or mailto: but LP thinks it does and it is a false-positive, etc.?

  3. I followed up with one site where I was getting a warning and they said they are using AJAX and not GET ... is that an issue and how can I verify because they go on to say they will be addressing this issue soon which leaves me wondering if I can safely use the site?

I've asked LP about this and they don't go further than what I've shared above.

ximaera
  • 3,395
  • 8
  • 23
KresWon895
  • 31
  • 2

1 Answers1

0

If the LastPass documentation is kept up to date with their source code, then you don't have to worry about false positives. (You may want to be concerned about false negatives instead.) Detecting a form which is sent via GET or mailto: is a comparatively easy task.

A GET request in HTTP (and HTTPS) is the most simple and widespread request method. It transfers (almost) all your data in the URL, i.e. in the same line of letters which is displayed in the address bar of your browser. Sending a form in an HTTP(S) GET request is not safe: here are the possible consequences.

The other method, dubbed mailto, is not actually an HTTP(s) request method, but rather a way to send your data via e-mail instead of a browser, HTTP and World Wide Web. Sending sensitive data via e-mail instead of an HTTPS POST request might be even less safe.

If you really have to use a Web site which does it either way, better a) evaluate your options and try to choose a site's competitor instead; b) read two links just above and evaluate your risks.

Regarding AJAX, it's basically an abstraction layer on top of HTTP(S). It might easily be implemented with GET requests: Wikipedia has a perfect example of this. So using AJAX alone isn't relevant to the question.

Some clarifications:

  1. LastPass authors most likely are well aware of the fact that there are (sometimes, important) Web sites which do not follow best security practices. Thus, LastPass is not going to prevent using those Web sites at all costs, it just highlights an issue and leaves the burden of decision making for the user.

  2. Sometimes, indeed, using GET or mailto: is somewhat (arguably, but) less of an issue. E.g. when the e-mail message is being sent to a device on the local network, or when a GET request ends on the localhost. LastPass cannot reliably detect those exceptions, here's why it only displays a warning.

  3. I believe that if LastPass has detected usage of those methods, you can be pretty sure that either of those methods is, in fact, being used. Developer tools ("network" tab) may help to track it down.

  4. Once again, using AJAX alone doesn't mean that the form isn't being sent in a GET request. It might be either way. Pretending that a Web site isn't using GET requests because it's using AJAX is plain silly.

ximaera
  • 3,395
  • 8
  • 23
  • So a GET or MAILTO is an issue and I appreciate your explanation! Follow-up questions: (1) What kind of reasoning is behind or might be behind their advice to go ahead and use the website if I "trust it" even though it is producing this warning? (2) Is it possible that there are occasions where they "detect" a GET or Mailto and that really isn't an issue? .... (3) How can I detect a GET or Mailto? Using Developer Tools on Chrome or Firefox? If so I'm not quite sure where to look? – KresWon895 Aug 30 '18 at 17:33
  • And, question #4 - Technical support said that their web signin form doesn't specify a verb/method so my password manager is probably interpreting this as a GET. Their system uses AJAX and not GET.” How can I tell if this is true? Or is this still not relevant as mentioned above? – KresWon895 Aug 30 '18 at 17:47
  • @KresWon895 I have edited my answer. – ximaera Aug 30 '18 at 23:31
  • Thank you @ximaera! The clarifications helped enormously. I'll assume the LastPass warning is accurate and avoid the pages. I was just thrown when they told me that if I've used the site in the past and had no issues that I could go ahead and trust it - this just didn't make sense to me. Your take on the matter is both practical and doable. – KresWon895 Aug 31 '18 at 00:16