MozillaZine

New "Insecure" Web Site Login Message

Discussion of general topics about Mozilla Firefox
greybeard2012
 
Posts: 30
Joined: October 21st, 2012, 8:27 pm

Post Posted March 30th, 2017, 7:02 am

How do I turn this fatuous new feature off please?

Apparently for years I've unknowingly been using some "insecure" login pages for forums etc and now I desperately need for FireFox to tell me this.

Whilst doing that the warning message dialogue box plants itself in such a position that it either obscures the username or login boxes when they are located above each other.

A poorly thought out feature. Did any user really express a need for this?

Grey Goshawk
 
Posts: 4
Joined: March 5th, 2006, 2:21 pm

Post Posted March 30th, 2017, 7:18 am

Well of course.
For example someone on the same network (for example at a public hotspot) as you can view what username and password you enter because it's sent unencrypted.
The expectation for a user when entering a username and password is that someone can't just simply snoop on the message.

Users often also repeat passwords all over the place so if they think for a second that entering the same password they use for everything into an insecure website is a bad idea then it'll be a good idea.

greybeard2012
 
Posts: 30
Joined: October 21st, 2012, 8:27 pm

Post Posted March 30th, 2017, 8:58 am

That really doesn't address the issue. The question is not whether doing that is poor practice, something I'm not going to argue about, it is why it has suddenly been decided to have FireFox point it out, and in such an annoying way? If it must do this then put an indicator in the address bar or somewhere that isn't actually over the login boxes.

If people want to login insecurely they're going to do it, this, it's just another unwanted nag.

Also, I did ask nicely, if there was a way to disable this feature for those who don't want it?

makaiguy

User avatar
 
Posts: 16411
Joined: November 18th, 2002, 6:44 pm
Location: Somewhere in SE USA

Post Posted March 30th, 2017, 9:00 am

Starting with Ver 52, FFox pops up a warning when attempting to log into sites not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.

This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.

To avoid the warning:
  1. If the site supports a secure https connection, use that instead of http. Your transmission will be encrypted and only readable by your destination site.
  2. If you just don't want FFox to warn you of these insecure connections, do this:
    • Enter about:config in the Address/URL bar.
    • Press the button to agree to be careful (if you haven't done this previously).
    • Enter insecure in the Filter bar to limit display to just options containing 'insecure'.
    • Double-click on each of the following two options to toggle them between true and false. Set them to false:
      security.insecure_field_warning.contextual.enabled
      security.insecure_password.ui.enabled
    • Enter autofill in the Search bar.
    • Double-click on signon.autofillForms.http and toggle it to true.
    NOTE: if any of the above options are not found, you can create them manually. Right-click (control-click on Apple) an empty space in the option list. Click New | Boolean. Enter the option name and appropriate true/false value.
Doug Wilson, "The Makai Guy"
Win10 (64bit): FF 54.0.1 (32bit), TB 52.2.1 (32bit)║ Android 7.0/6.0.2: FF 54.0.1, No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers

greybeard2012
 
Posts: 30
Joined: October 21st, 2012, 8:27 pm

Post Posted April 1st, 2017, 5:13 am

Thanks you very much for the information, appreciated.

The problem I have with these sorts of nags is that up this point FireFox hasn't warned you about this. This isn't a new threat this is something FireFox could have been warning you about with all previous versions but it hasn't been thought necessary.

Why the change and why do it so awkwardly?

For years users have known to check the address bar for the padlock, https:// and (I) site info icon tells you in red letters the connection is not secure if you click on it. So the information is already available in the address bar and perhaps simply turning the (I) symbol red to indicate a warning bringing it, more subtly, to the attention of the user on insecure login pages would be a better design solution.

The ultimate irony is that this forum doesn't have a secured connection login page.

NanM
 
Posts: 174
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted April 2nd, 2017, 3:23 am

greybeard2012 wrote:Why the change and why do it so awkwardly?


Fatuous?! That big word would never do in the new halls of mozux ;-)
Firefox clients are gathered into some old MS paradigm now, where the Clippit designer has found a new home:

Code: Select all
Hello!  It looks like you want to exchange credentials; let me just drop down and obscure the field there for you.


+1 thanks to makaiguy.

Frank Lion

User avatar
 
Posts: 19147
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted April 2nd, 2017, 5:06 am

greybeard2012 wrote:Why the change and why do it so awkwardly?

Sign of the times.

Companies change things, remove things, put the same things back to make it seem that they are at the cutting edge of 'feature' development and they often do this when, er, nothing has actually changed. As in this case.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Scarlettrunner20

User avatar
 
Posts: 990
Joined: February 13th, 2003, 5:06 pm

Post Posted April 2nd, 2017, 6:29 am

Grey Goshawk wrote:Well of course.
For example someone on the same network (for example at a public hotspot) as you can view what username and password you enter because it's sent unencrypted.
The expectation for a user when entering a username and password is that someone can't just simply snoop on the message.

Users often also repeat passwords all over the place so if they think for a second that entering the same password they use for everything into an insecure website is a bad idea then it'll be a good idea.


Grey Goshawk wrote:Well of course.
For example someone on the same network (for example at a public hotspot) as you can view what username and password you enter because it's sent unencrypted.
The expectation for a user when entering a username and password is that someone can't just simply snoop on the message.

Users often also repeat passwords all over the place so if they think for a second that entering the same password they use for everything into an insecure website is a bad idea then it'll be a good idea.


Why login or even use a computer away from home or office? Why use anything other than wired internet access? If people had common sense this would be a non-issue.

I ALWAYS choose http even when a site has https also. The only exception is for banking which I no longer do except rarely on a computer. Under NO circumstances would I enter my SS number or my birthdate on ANY website. That is plain insanity and now since ISPs can harvest and sell everything I do, Tor or a VPN is needed. What is NOT needed is for any browser to lie and say https is "secure". If you never use your name, never post photos of yourself, etc and then why does Mozilla think a user needs a warning about an http site login where they are NEVER revealing their name, birth date, etc? What would be the major disaster if someone captured my login here (or my home site that has https that I chose to not use)? My login at both sites has been capturable since 2001 for my home site and 2003 for this site. No one has ever grabbed it and impersonated me at either site and if they ever did, yeah, headache but not such a major thing that Mozilla needs to suddenly put in my face what I have always known and try and scare me into https which means no Proxomitron which means no protection against a lot of nasty stuff at sites. So, forgive me if I am less than impressed with Mozilla's sudden desire, after all these years, to "protect" me. :roll:

Happy112

User avatar
 
Posts: 274
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Post Posted April 17th, 2017, 1:38 am

Hi greybeard2012 !
Noticed you saying this : "the warning message dialogue box plants itself in such a position that it either obscures the username or login boxes when they are located above each other."
There's a simple solution : press the Esc key .......
And to everybody who's annoyed by this new feature : Mozilla is growing, trying to find ways to improve the browser and only has the users' best interest at heart.
And if you don't like certain new features : instead of complaining, just disable the feature and SMILE !!!

Frank Lion

User avatar
 
Posts: 19147
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted April 17th, 2017, 3:19 am

Happy112 wrote:And to everybody who's annoyed by this new feature : Mozilla is growing, trying to find ways to improve the browser and only has the users' best interest at heart.
And if you don't like certain new features : instead of complaining, just disable the feature and SMILE !!!

You don't write for a North Korean newspaper, do you?

If that feature can be disabled then why didn't you write how to do that, instead of your clumsy workaround of pressing the Escape key?
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Happy112

User avatar
 
Posts: 274
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Post Posted April 17th, 2017, 5:36 am

Hi Frank Lion !
In answer to your question : "If that feature can be disabled then why didn't you write how to do that, instead of your clumsy workaround of pressing the Escape key " :
I didn't, because 'makaiqui already has ....... Would you please read all the answers that have been posted, before biting somebody's head off ?
And when you read my reply again, you might realize that I was referring to the warning obscuring the username etc.. when I adviced to press the Esc key.
Have a nice day, Frank Lion !

Frank Lion

User avatar
 
Posts: 19147
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted April 17th, 2017, 6:09 am

Happy112 wrote:Would you please read all the answers that have been posted, before biting somebody's head off ?

Hi Happy112 !

No, I don't like apologists and never have. This is drivel -

And to everybody who's annoyed by this new feature : Mozilla is growing, trying to find ways to improve the browser and only has the users' best interest at heart.
And if you don't like certain new features : instead of complaining, just disable the feature and SMILE !!!
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Happy112

User avatar
 
Posts: 274
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Post Posted April 17th, 2017, 6:45 am

Frank Lion, if you can't be nice, would you at least comply with common decency, please ?
I'm doing this as a volunteer, in my spare time, trying to help other users.
Only started on this forum today, but if this is the way I get treated here - I might as well quit right now.
Not expecting great big 'Thank you's' - but a little appreciation, maybe ?

Frank Lion

User avatar
 
Posts: 19147
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted April 17th, 2017, 7:10 am

Happy112 wrote:I'm doing this as a volunteer, in my spare time, trying to help other users.

Needlessly bumping old solved threads with fanbois stuff is not the way to help other users.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 4 guests