IE11 ignores Autocomplete=Off setting used by Netscaler Gateway and put users at risk

IE-Red-smallSince Microsoft is pushing Internet Explorer 11 through Windows Update as an important update for Windows 7, a lot of users are starting to use it as their default browser. Also users on Windows 8.1 are already using Internet Explorer 11 by default.

Internet Explorer 11 brought some issues for customers using Netscaler Gateway, for example the login fields in combination with the Green Bubble theme weren’t displayed correctly and this prevented users from logging in correctly. Citrix released new maintenance releases for Netscaler Gateway which will fix this layout issues.

But there is more : Microsoft decided to ignore the Autocomplete=Off setting used by Netscaler Gateway (and a lot of other login pages), this setting tells the browser not to use the store password option and will protect the user from accidently saving their username and password on their machine (or worse a public machine!). Below a screenshot from the login.js file where you can find the autocomplete=off setting on the Netscaler :

Autocomplete

Up till Internet Explorer 10 and every other major browser like Chrome and Firefox respect this setting and will not bother the user to store the credentials, but Microsoft decided to ignore this setting (by default!) in IE11 because they want to give this control back to the user, you can read more about it here and here. Below a screenshot of the message users get when logging in through IE11 on Netscaler Gateway :

StorePassword

I think it’s a wrong choice of Microsoft to ignore the autocomplete=off setting, but even more wrong to ignore it by default, because they forget that a lot of people don’t know how to use a password manager wisely and just click OK on every message they see without thinking about the risks. When users click on Yes, everyone with access to their computer can simple hit the first letter of their username and the rest is auto filled so it’s very easy to make abuse of this :

Autocomplete2

Of course users can always bypass the autocomplete=off setting by installing\enabling a password manager themselves (also in other browsers) but in this way, they are conscious what they are doing. This default setting will put a lot of users (the ones we all know and hit Yes on everything on their way) at risk, without they even know it.

Possible workarounds when using Internet Explorer 11 :

  • When machines are managed (through GPO or tools like Thinkiosk) disable Autocomplete in the browser completely or only for certain websites
  • Change the password field on the Netscaler Gateway from type Password to type Text, this will prevent autocomplete from kicking in but will lower the security when people are typing in their password
  • Don’t allow IE11 : Block the login page from showing (through EPA scan or some code in the index page) and notify the users to use another browser
  • Don’t use Receiver for Web \ Netscaler Gateway Portal and only use the native Citrix Receivers

Of course 2-way factor authentication is a life saver here, but the security is already lowered when username and passwords are already stored on the machine. People with bad intentions only need the phone or token as an extra step to get access from a machine with prefilled username and password.
Please let me know if you have other ways to work around this default behaviour of Internet Explorer 11.

Advertisements