Mozilla is working on a new feature in Firefox that warns people in the browser when they visit a site that has been breached and provide information about how to protect themselves in future.
Firefox already displays warnings in input fields on non-HTTPS pages that transmit passwords or payment-card data, which in part was to address the threat of stolen credentials leading to larger breaches due to frequent password reuse.
The in-browser data-breach notifications tackle the password problem from a different angle, focusing on major credential leaks that have already occurred.
The project is currently a prototype and is partially integrated into the Nightly version of Firefox.
The breach data is sourced from security researcher Troy Hunt's data-breach alert site haveibeenpwned.com, which has a collection of 4.8 billion compromised accounts from hundreds of breaches in the past five years where data has been made publicly available.
Users of Hunt's site can already register an email address to receive alerts if it was present in a newly discovered breach. However, integrating the service with Firefox has the potential to reach a larger audience.
Mozilla developer Nihanth Subramanya explains the purpose of the project is to see how a browser can be used to help users keep track of data breaches and explain what to do when they're affected.
"As [data breaches] grow more frequent, it's desirable to keep track of them and communicate about them to web users when their credentials may have been compromised, and educate them on the repercussions, what they can do when such a breach occurs, and protect themselves in the future," he explains on the project's GitHub repository.
There are still quite a few details to work out before this feature becomes part of Firefox. In its current form, the project aims to create a "UI and interaction flow ... in Firefox that notifies users when their credentials have possibly been leaked or stolen in a data breach."
Subramanya suggests Firefox could supply a notification when users visit a site that is known to have been recently breached. The notification could be displayed when the user visits the login page of the site.
He suggests a 'Learn more' link that would offer educational information about data breaches within the Firefox UI.
It would also offer a way for users to sign up to a service that notifies them by email when they're affected by a future breach. In the current implementation, when a user visits a site that has suffered a breach, like LinkedIn or Adobe, Firefox presents a drop-down box from the address bar with a field to enter an email address and an option to receive email alerts.
Subramanya has yet to figure out how to handle potential privacy concerns of this opt-in feature given that users would need to supply an email address to be notified. And without an email address, would in-browser breach alerts still be useful?
"Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address? While the project is still in infancy, the idea is to offer as much utility as possible while respecting the user's privacy," writes Subramanya.
Previous and related coverage
The latest update encourages developers to use HTTPS by letting users know when data is collected, but not protected.
Trying the new multi-process Firefox 57? Save yourself some time with these set-up tips...