New "Insecure" Web Site Login Message

Discussion of general topics about Mozilla Firefox
Post Reply
greybeard2012
Posts: 105
Joined: October 21st, 2012, 8:27 pm

New "Insecure" Web Site Login Message

Post by greybeard2012 »

How do I turn this fatuous new feature off please?

Apparently for years I've unknowingly been using some "insecure" login pages for forums etc and now I desperately need for FireFox to tell me this.

Whilst doing that the warning message dialogue box plants itself in such a position that it either obscures the username or login boxes when they are located above each other.

A poorly thought out feature. Did any user really express a need for this?
Grey Goshawk
Posts: 4
Joined: March 5th, 2006, 2:21 pm

Re: New "Insecure" Web Site Login Message

Post by Grey Goshawk »

Well of course.
For example someone on the same network (for example at a public hotspot) as you can view what username and password you enter because it's sent unencrypted.
The expectation for a user when entering a username and password is that someone can't just simply snoop on the message.

Users often also repeat passwords all over the place so if they think for a second that entering the same password they use for everything into an insecure website is a bad idea then it'll be a good idea.
greybeard2012
Posts: 105
Joined: October 21st, 2012, 8:27 pm

Re: New "Insecure" Web Site Login Message

Post by greybeard2012 »

That really doesn't address the issue. The question is not whether doing that is poor practice, something I'm not going to argue about, it is why it has suddenly been decided to have FireFox point it out, and in such an annoying way? If it must do this then put an indicator in the address bar or somewhere that isn't actually over the login boxes.

If people want to login insecurely they're going to do it, this, it's just another unwanted nag.

Also, I did ask nicely, if there was a way to disable this feature for those who don't want it?
User avatar
makaiguy
Posts: 16878
Joined: November 18th, 2002, 6:44 pm
Location: Somewhere in SE USA
Contact:

Re: New "Insecure" Web Site Login Message

Post by makaiguy »

Starting with Ver 52, FFox pops up a warning when attempting to log into sites not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.

This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.

To avoid the warning:
  1. If the site supports a secure https connection, use that instead of http. Your transmission will be encrypted and only readable by your destination site.
  2. If you just don't want FFox to warn you of these insecure connections, do this:
    • Enter about:config in the Address/URL bar.
    • Press the button to agree to be careful (if you haven't done this previously).
    • Enter insecure in the Filter bar to limit display to just options containing 'insecure'.
    • Double-click on each of the following two options to toggle them between true and false. Set them to false:
      security.insecure_field_warning.contextual.enabled
      security.insecure_password.ui.enabled
    • Enter autofill in the Search bar.
    • Double-click on signon.autofillForms.http and toggle it to true.
    NOTE: if any of the above options are not found, you can create them manually. Right-click (control-click on Apple) an empty space in the option list. Click New | Boolean. Enter the option name and appropriate true/false value.
Doug Wilson
Win10 64bit: FF 115.0.02 64bit, TB 102.12.0 32-bit ║ Android 13/10: FF 115.2.0/115.0.1 ║ No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers
greybeard2012
Posts: 105
Joined: October 21st, 2012, 8:27 pm

Re: New "Insecure" Web Site Login Message

Post by greybeard2012 »

Thanks you very much for the information, appreciated.

The problem I have with these sorts of nags is that up this point FireFox hasn't warned you about this. This isn't a new threat this is something FireFox could have been warning you about with all previous versions but it hasn't been thought necessary.

Why the change and why do it so awkwardly?

For years users have known to check the address bar for the padlock, https:// and (I) site info icon tells you in red letters the connection is not secure if you click on it. So the information is already available in the address bar and perhaps simply turning the (I) symbol red to indicate a warning bringing it, more subtly, to the attention of the user on insecure login pages would be a better design solution.

The ultimate irony is that this forum doesn't have a secured connection login page.
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: New "Insecure" Web Site Login Message

Post by NanM »

greybeard2012 wrote: Why the change and why do it so awkwardly?
Fatuous?! That big word would never do in the new halls of mozux ;-)
Firefox clients are gathered into some old MS paradigm now, where the Clippit designer has found a new home:

Code: Select all

Hello!  It looks like you want to exchange credentials; let me just drop down and obscure the field there for you.
+1 thanks to makaiguy.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: New "Insecure" Web Site Login Message

Post by Frank Lion »

greybeard2012 wrote:Why the change and why do it so awkwardly?
Sign of the times.

Companies change things, remove things, put the same things back to make it seem that they are at the cutting edge of 'feature' development and they often do this when, er, nothing has actually changed. As in this case.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Scarlettrunner20
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Re: New "Insecure" Web Site Login Message

Post by Scarlettrunner20 »

Grey Goshawk wrote:Well of course.
For example someone on the same network (for example at a public hotspot) as you can view what username and password you enter because it's sent unencrypted.
The expectation for a user when entering a username and password is that someone can't just simply snoop on the message.

Users often also repeat passwords all over the place so if they think for a second that entering the same password they use for everything into an insecure website is a bad idea then it'll be a good idea.
Grey Goshawk wrote:Well of course.
For example someone on the same network (for example at a public hotspot) as you can view what username and password you enter because it's sent unencrypted.
The expectation for a user when entering a username and password is that someone can't just simply snoop on the message.

Users often also repeat passwords all over the place so if they think for a second that entering the same password they use for everything into an insecure website is a bad idea then it'll be a good idea.
Why login or even use a computer away from home or office? Why use anything other than wired internet access? If people had common sense this would be a non-issue.

I ALWAYS choose http even when a site has https also. The only exception is for banking which I no longer do except rarely on a computer. Under NO circumstances would I enter my SS number or my birthdate on ANY website. That is plain insanity and now since ISPs can harvest and sell everything I do, Tor or a VPN is needed. What is NOT needed is for any browser to lie and say https is "secure". If you never use your name, never post photos of yourself, etc and then why does Mozilla think a user needs a warning about an http site login where they are NEVER revealing their name, birth date, etc? What would be the major disaster if someone captured my login here (or my home site that has https that I chose to not use)? My login at both sites has been capturable since 2001 for my home site and 2003 for this site. No one has ever grabbed it and impersonated me at either site and if they ever did, yeah, headache but not such a major thing that Mozilla needs to suddenly put in my face what I have always known and try and scare me into https which means no Proxomitron which means no protection against a lot of nasty stuff at sites. So, forgive me if I am less than impressed with Mozilla's sudden desire, after all these years, to "protect" me. :roll:
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: New "Insecure" Web Site Login Message

Post by Happy112 »

Hi greybeard2012 !
Noticed you saying this : "the warning message dialogue box plants itself in such a position that it either obscures the username or login boxes when they are located above each other."
There's a simple solution : press the Esc key .......
And to everybody who's annoyed by this new feature : Mozilla is growing, trying to find ways to improve the browser and only has the users' best interest at heart.
And if you don't like certain new features : instead of complaining, just disable the feature and SMILE !!!
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: New "Insecure" Web Site Login Message

Post by Frank Lion »

Happy112 wrote:And to everybody who's annoyed by this new feature : Mozilla is growing, trying to find ways to improve the browser and only has the users' best interest at heart.
And if you don't like certain new features : instead of complaining, just disable the feature and SMILE !!!
You don't write for a North Korean newspaper, do you?

If that feature can be disabled then why didn't you write how to do that, instead of your clumsy workaround of pressing the Escape key?
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: New "Insecure" Web Site Login Message

Post by Happy112 »

Hi Frank Lion !
In answer to your question : "If that feature can be disabled then why didn't you write how to do that, instead of your clumsy workaround of pressing the Escape key " :
I didn't, because 'makaiqui already has ....... Would you please read all the answers that have been posted, before biting somebody's head off ?
And when you read my reply again, you might realize that I was referring to the warning obscuring the username etc.. when I adviced to press the Esc key.
Have a nice day, Frank Lion !
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: New "Insecure" Web Site Login Message

Post by Frank Lion »

Happy112 wrote:Would you please read all the answers that have been posted, before biting somebody's head off ?
Hi Happy112 !

No, I don't like apologists and never have. This is drivel -
And to everybody who's annoyed by this new feature : Mozilla is growing, trying to find ways to improve the browser and only has the users' best interest at heart.
And if you don't like certain new features : instead of complaining, just disable the feature and SMILE !!!
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
Happy112
Posts: 485
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Re: New "Insecure" Web Site Login Message

Post by Happy112 »

Frank Lion, if you can't be nice, would you at least comply with common decency, please ?
I'm doing this as a volunteer, in my spare time, trying to help other users.
Only started on this forum today, but if this is the way I get treated here - I might as well quit right now.
Not expecting great big 'Thank you's' - but a little appreciation, maybe ?
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: New "Insecure" Web Site Login Message

Post by Frank Lion »

Happy112 wrote:I'm doing this as a volunteer, in my spare time, trying to help other users.
Needlessly bumping old solved threads with fanbois stuff is not the way to help other users.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
Post Reply