When I logged on this morning I received a warning from Firefox saying that the logon, even though the url is https://, was insecure, and I was directed to https://support.mozi...efox/ta-p/27861
Can this be looked at as a matter of urgency? Account security is of paramount importance.
Insecure Logon Warning
#1
Posted 20 March 2017 - 07:44
Advertisement
#2
Posted 20 March 2017 - 09:45
#3
Posted 20 March 2017 - 10:11
It's a new Firefox feature. I think the idea behind it is to nudge people towards using more secure passwords. Rather than PASSWORD, QWERTY or 123456789. If your Autosport password is unique then the risk is minimal.
However, if you use a separate password manager - I use LastPass - it will override the Firefox settings and only display the crossed-through lock symbol.
#4
Posted 20 March 2017 - 15:22
An explanation from a poster at MozillaZine:
Starting with Ver 52, FFox pops up a warning when attempting to log into sites not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.
This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.
To avoid the warning:
- If the site supports a secure https connection, use that instead of http. Your transmission will be encrypted and only readable by your destination site.
- If you just don't want FFox to warn you of these insecure connections, do this:
NOTE: if any of the above options are not found, you can create them manually. Right-click (control-click on Apple) an empty space in the option list. Click New | Boolean. Enter the option name and appropriate true/false value.
- Enter about:config in the Address/URL bar.
- Press the button to agree to be careful (if you haven't done this previously).
- Enter insecure in the Filter bar to limit display to just options containing 'insecure'.
- Double-click on each of the following two options to toggle them between true and false. Set them to false:
security.insecure_field_warning.contextual.enabled
security.insecure_password.ui.enabled- Enter autofill in the Search bar.
- Double-click on signon.autofillForms.http and toggle it to true.
#5
Posted 21 March 2017 - 21:12
So, basically, you're not actually using https authentication?
#6
Posted 23 March 2017 - 08:31
An explanation from a poster at MozillaZine:
Thanks for posting this V2.
I've done what it suggests and it works and I've therefore taken it on myself to spread it to other fora where people were having the same troubles.
#7
Posted 23 March 2017 - 08:39
An explanation from a poster at MozillaZine:
This is informative but to echo Lotus53b, does this mean logging into this site is, and always has been not secure?
#8
Posted 23 March 2017 - 09:55
It's alive, it's alive! It works!
Thanks Vitesse2. I dropped Chrome in favour of Firefox because of the persistent annoying banner about not updating with Vista so I was a bit fed up when FF started this lark!
#9
Posted 23 March 2017 - 10:43
This is informative but to echo Lotus53b, does this mean logging into this site is, and always has been not secure?
In FF or Chrome, click on the "i" in the circle to the left of the URL in the address bar to find out.
#10
Posted 23 March 2017 - 11:20
We're currently working on moving to full HTTPS across the whole of Autosport - I'm hoping that this will be completed within the next few weeks.
This is already working for the main portion of the site (if you visit https://www.autosport.com/ and try to log in you will see that those warnings aren't showing) and once we're confident that this isn't causing any problems we will make the whole site default to HTTPS. Next up will be the forums and the other parts of the site.
The pages where we take card or PayPal details and the Autosport Plus account pages have always been secure.
As the MozillaZine quotes above mention, this isn't a new problem that's cropped up. Security standards across the internet are improving and we're committed to keeping up!
#11
Posted 23 March 2017 - 23:40
We're currently working on moving to full HTTPS across the whole of Autosport - I'm hoping that this will be completed within the next few weeks.
This is already working for the main portion of the site (if you visit https://www.autosport.com/ and try to log in you will see that those warnings aren't showing) and once we're confident that this isn't causing any problems we will make the whole site default to HTTPS. Next up will be the forums and the other parts of the site.
The pages where we take card or PayPal details and the Autosport Plus account pages have always been secure.
As the MozillaZine quotes above mention, this isn't a new problem that's cropped up. Security standards across the internet are improving and we're committed to keeping up!
How about being ahead? I've moved business sites that I am responsible for to https a few years ago.
#12
Posted 24 March 2017 - 16:13
It's a new Firefox feature. I think the idea behind it is to nudge people towards using more secure passwords. Rather than PASSWORD, QWERTY or 123456789. If your Autosport password is unique then the risk is minimal.
However, if you use a separate password manager - I use LastPass - it will override the Firefox settings and only display the crossed-through lock symbol.
It has nothing to do with the password itself, the warning is that the connection is not encrypted and therefore the password can be tapped from the wire in clear text.
#13
Posted 24 March 2017 - 18:21
And having checked with Wireshark locally on my machine, and a quick scan of the IP logs on the routers at work, I can confirm that for the forums our usernames and passwords go through in plaintext.
For me it's not too relevant, my username and password for the forums are unique, but some folk may use the same logons for all of Autosport - and I don't think that it is an unreasonable assumption for folk to make that they can reuse their logons, and that could expose them to some risk. The worst that can happen to me is that someone could, fairly easily, subvert my forum account and start insulting other users, which would just save me a job.
For other folk, as I say, thay may assume that all parts of the site have the same security, reuse their password, and that could pose a risk.
Maybe, until security is rolled out ubiquitously, a sticky could be posted to indicate that since the forum is separate from the rest of the site, that a unique password would be the best idea.