Insecure Password Warning On This Site

Talk about stuff specific to the site -- bugs, suggestions, and of course praise welcome.
Locked
User avatar
xanthon
Posts: 405
Joined: December 17th, 2005, 11:55 pm

Insecure Password Warning On This Site

Post by xanthon »

Hello. I searched the forum and found only a thread relating to other websites. It is locked and may pre-date Firefox Quantum.

I came up against the problem this afternoon. The following support page is relevant : Insecure password warning in Firefox.
Firefox will display a lock icon with red strike-through red strikethrough icon in the address bar when a login page you’re viewing does not have a secure connection. This is to inform you that if you enter your password, it could be stolen by eavesdroppers and attackers.

Starting in Firefox version 52, you will also see a warning message when you click inside the login box to enter a username or password.
User avatar
makaiguy
Posts: 16878
Joined: November 18th, 2002, 6:44 pm
Location: Somewhere in SE USA
Contact:

Re: Insecure Password Warning On This Site

Post by makaiguy »

Starting with Ver 52, FFox pops up a warning when attempting to log into sites (like this one) not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.

This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.

To avoid the warning:
  1. If the site supports a secure https connection, use that instead of http. Your transmission will be encrypted and only readable by your destination site.
  2. If you just don't want FFox to warn you of these insecure connections, do this:
    • Enter about:config in the Address/URL bar.
    • Press the button to agree to be careful (if you haven't done this previously).
    • Enter insecure in the Filter bar to limit display to just options containing 'insecure'.
    • Double-click on each of the following two options to toggle them between true and false. Set them to false:
      • security.insecure_field_warning.contextual.enabled
        security.insecure_password.ui.enabled
    • Enter autofill in the Search bar.
    • Double-click on signon.autofillForms.http and toggle it to true.
    NOTE: if any of the above options are not found, you can create them manually. Right-click (control-click on Apple) an empty space in the option list. Click New | Boolean. Enter the option name and appropriate true/false value.
Doug Wilson
Win10 64bit: FF 115.0.02 64bit, TB 102.12.0 32-bit ║ Android 13/10: FF 115.2.0/115.0.1 ║ No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers
lucideer
Posts: 178
Joined: May 17th, 2009, 6:47 pm
Location: Ireland

Re: Insecure Password Warning On This Site

Post by lucideer »

makaiguy wrote:This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.
This isn't true. The kind folks at Mozilla don't decide to warn their users about things for no reasons—they are doing this because this has *always* been insecure and we're trying to move to a more secure web.
makaiguy wrote:If you just don't want FFox to warn you of these insecure connections, do this:
This is dangerous advice. Please don't ask people to disable security settings in their Firefox install.


I'm a long-time-inactive former MozillaZine user/poster and I came here today after a long hiatus specifically to discuss a separate issue. It's a long time since I logged into the site, and I was really shocked to realise it was a non-HTTP forum. This is basically unacceptable for any slightly privacy-aware educated user on the modern internet.

If anyone needs help setting up HTTP for the mozillaZine server, I'm more than willing to help out. Is there a thread somewhere where this work is in progress?
User avatar
DanRaisch
Moderator
Posts: 127186
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Re: Insecure Password Warning On This Site

Post by DanRaisch »

If anyone needs help setting up HTTP for the mozillaZine server, I'm more than willing to help out. Is there a thread somewhere where this work is in progress?
I'm assuming you mean "setting up HTTPS".
As far as we are aware, there is nothing in progress on that and probably won't be. Is there really anything that sensitive being posted on this open, public forum to make that an issue?
User avatar
James
Moderator
Posts: 27999
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Re: Insecure Password Warning On This Site

Post by James »

lucideer wrote:This is basically unacceptable for any slightly privacy-aware educated user on the modern internet.

If anyone needs help setting up HTTP for the mozillaZine server, I'm more than willing to help out. Is there a thread somewhere where this work is in progress?
This site is not a store or bank or such. I'm sure kerz is aware of options like say https://letsencrypt.org/ as he has a life and is busy at Google and has been generous in still keeping mozillaZine up and running as is.
User avatar
Decidedly Devious
Posts: 225
Joined: October 23rd, 2005, 4:10 pm

Re: Insecure Password Warning On This Site

Post by Decidedly Devious »

I encountered this recently while attempting to change my password.
It concerned me enough that I stopped and left the site, proving that it can be a deterrence to security if people are afraid to change their passwords.

I'd planned to post a screenshot but there's no option for that here.
Why doesn't the "reply" box on threads offer a full editor like you get when posting a new topic?

Each time I want to add formatting, screenshots or emoticons to a reply, I must open a new Mozillazine tab, start a new topic and use the editor there.
Then copy the text, paste it into the original tab's reply box and close the new tab. #-o

So, after doing all that, voilà!

Image




James, It's irrelevant that this site isn't "a store or bank or such."
Neither are Gmail, YouTube, LinkedIn, Reddit, GitHub, Craigslist etc.; Would you be comfortable with them using http?

Website operators have a responsibility to provide appropriate security for its users and may be held liable in the event of a breach.
User avatar
James
Moderator
Posts: 27999
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Re: Insecure Password Warning On This Site

Post by James »

OregonRebel wrote:I'd planned to post a screenshot but there's no option for that here.
Why doesn't the "reply" box on threads offer a full editor like you get when posting a new topic?

Each time I want to add formatting, screenshots or emoticons to a reply, I must open a new Mozillazine tab, start a new topic and use the editor there.
Then copy the text, paste it into the original tab's reply box and close the new tab.
This forum has never had the attachment feature enabled. Two very big reasons why is due to database load and especially due to Spam.

The box on bottom of the thread is just a Quick Reply box. I guess you completely missed three ways to get the Advanced Reply box when replying on a thread since Oct 2005.

Click on the [POST REPLY} button link at bottom. If you click on
button on a post you will load the Advanced reply with the Quote. Also when you are using the Quick Reply box at end of thread, you can click on [Preview] button beside the [Submit] button to then preview the post in Advanced Reply, though you need to have something in box first.

As I said Kerz (the owner/admin) is a busy guy and it is up to him on what he wants to do. He has not been a fan of adding or making big changes due to issues such as database crashes in past caused by said attempts. He did say last year that he was maybe planning to change to another forum software to make it easier to keep it updated. This may perhaps mean https:// for the few people who complain about this.
User avatar
Decidedly Devious
Posts: 225
Joined: October 23rd, 2005, 4:10 pm

Re: Insecure Password Warning On This Site

Post by Decidedly Devious »

I never mentioned a missing attachment function. I was referring to the inability to see the buttons that are used to add an image (some sites use <img>, some use [img]).
It's not a problem to upload images to a hosting site, just an extra step.

I thought it used to be easier to use the editor here, but it seemed like it was removed.
Now I see it depends which link is clicked in the email notices sent from the site.

This link opens the reply box without an editor.
And I either wasn't aware or had forgotten that clicking Preview opens the full editor. :oops:
If you want to view the newest post made since your last visit, click the
following link: http://forums.mozillazine.org/viewtopic ... e=14823814
This link opens the topic page with a reply button that opens the full editor.
If you want to view the topic, click the following link: http://forums.mozillazine.org/viewtopic ... &t=3040913

It's a pity that a mod would accuse users of "complaining" when they express valid concerns about a site's undeniable security shortcoming. =;
Last edited by Decidedly Devious on February 12th, 2019, 10:16 am, edited 2 times in total.
User avatar
malliz
Folder@Home
Posts: 43796
Joined: December 7th, 2002, 4:34 am
Location: Australia

Re: Insecure Password Warning On This Site

Post by malliz »

James wrote: This may perhaps mean https:// for the few people who complain about this.
Probably keep the serial whingers happy - for a while :|
What sort of man would put a known criminal in charge of a major branch of government? Apart from, say, the average voter.
"Terry Pratchett"
Locked