Jump to content


Photo

Insecure Logon Warning


  • Please log in to reply
12 replies to this topic

#1 Lotus53B

Lotus53B
  • Member

  • 4,163 posts
  • Joined: March 10

Posted 20 March 2017 - 07:44

When I logged on this morning I received a warning from Firefox saying that the logon, even though the url is https://, was insecure, and I was directed to https://support.mozi...efox/ta-p/27861

Can this be looked at as a matter of urgency?  Account security is of paramount importance.



Advertisement

#2 Buttoneer

Buttoneer
  • Admin

  • 19,094 posts
  • Joined: May 04

Posted 20 March 2017 - 09:45

I had this over the weekend too on both the main site and forum (Win 10 and up-to-date FF), so didn't log in. This morning on Win 7 and IE11 is all good.

#3 Vitesse2

Vitesse2
  • Administrator

  • 41,776 posts
  • Joined: April 01

Posted 20 March 2017 - 10:11

It's a new Firefox feature. I think the idea behind it is to nudge people towards using more secure passwords. Rather than PASSWORD, QWERTY or 123456789. If your Autosport password is unique then the risk is minimal.

 

However, if you use a separate password manager - I use LastPass - it will override the Firefox settings and only display the crossed-through lock symbol.



#4 Vitesse2

Vitesse2
  • Administrator

  • 41,776 posts
  • Joined: April 01

Posted 20 March 2017 - 15:22

An explanation from a poster at MozillaZine:

 

Starting with Ver 52, FFox pops up a warning when attempting to log into sites not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.

This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.

To avoid the warning:

  1. If the site supports a secure https connection, use that instead of http. Your transmission will be encrypted and only readable by your destination site.
  2. If you just don't want FFox to warn you of these insecure connections, do this:
    • Enter about:config in the Address/URL bar.
    • Press the button to agree to be careful (if you haven't done this previously).
    • Enter insecure in the Filter bar to limit display to just options containing 'insecure'.
    • Double-click on each of the following two options to toggle them between true and false. Set them to false:
      security.insecure_field_warning.contextual.enabled
      security.insecure_password.ui.enabled
    • Enter autofill in the Search bar.
    • Double-click on signon.autofillForms.http and toggle it to true.
    NOTE: if any of the above options are not found, you can create them manually. Right-click (control-click on Apple) an empty space in the option list. Click New | Boolean. Enter the option name and appropriate true/false value.

 



#5 Lotus53B

Lotus53B
  • Member

  • 4,163 posts
  • Joined: March 10

Posted 21 March 2017 - 21:12

So, basically, you're not actually using https authentication?



#6 Allan Lupton

Allan Lupton
  • Member

  • 4,051 posts
  • Joined: March 06

Posted 23 March 2017 - 08:31

An explanation from a poster at MozillaZine:

Thanks for posting this V2.

I've done what it suggests and it works and I've therefore taken it on myself to spread it to other fora where people were having the same troubles.



#7 SophieB

SophieB
  • RC Forum Host

  • 24,535 posts
  • Joined: July 12

Posted 23 March 2017 - 08:39

An explanation from a poster at MozillaZine:


This is informative but to echo Lotus53b, does this mean logging into this site is, and always has been not secure?

#8 BRG

BRG
  • Member

  • 25,898 posts
  • Joined: September 99

Posted 23 March 2017 - 09:55

It's alive, it's alive!  It works!

 

Thanks Vitesse2.  I dropped Chrome in favour of Firefox because of the persistent annoying banner about not updating with Vista so I was a bit  fed up when FF started this lark!



#9 YoungGun

YoungGun
  • Member

  • 29,493 posts
  • Joined: January 10

Posted 23 March 2017 - 10:43

This is informative but to echo Lotus53b, does this mean logging into this site is, and always has been not secure?

 

In FF or Chrome, click on the "i" in the circle to the left of the URL in the address bar to find out. 



#10 Grayson

Grayson
  • Autosport digital product manager

  • 3,497 posts
  • Joined: July 08

Posted 23 March 2017 - 11:20

We're currently working on moving to full HTTPS across the whole of Autosport - I'm hoping that this will be completed within the next few weeks.

 

This is already working for the main portion of the site (if you visit https://www.autosport.com/ and try to log in you will see that those warnings aren't showing) and once we're confident that this isn't causing any problems we will make the whole site default to HTTPS. Next up will be the forums and the other parts of the site.

 

The pages where we take card or PayPal details and the Autosport Plus account pages have always been secure.

 

As the MozillaZine quotes above mention, this isn't a new problem that's cropped up. Security standards across the internet are improving and we're committed to keeping up!



#11 HP

HP
  • Member

  • 19,631 posts
  • Joined: October 99

Posted 23 March 2017 - 23:40

We're currently working on moving to full HTTPS across the whole of Autosport - I'm hoping that this will be completed within the next few weeks.

 

This is already working for the main portion of the site (if you visit https://www.autosport.com/ and try to log in you will see that those warnings aren't showing) and once we're confident that this isn't causing any problems we will make the whole site default to HTTPS. Next up will be the forums and the other parts of the site.

 

The pages where we take card or PayPal details and the Autosport Plus account pages have always been secure.

 

As the MozillaZine quotes above mention, this isn't a new problem that's cropped up. Security standards across the internet are improving and we're committed to keeping up!

 

How about being ahead? I've moved business sites that I am responsible for to https a few years ago.



#12 Gretsch

Gretsch
  • Member

  • 1,397 posts
  • Joined: August 16

Posted 24 March 2017 - 16:13

It's a new Firefox feature. I think the idea behind it is to nudge people towards using more secure passwords. Rather than PASSWORD, QWERTY or 123456789. If your Autosport password is unique then the risk is minimal.

 

However, if you use a separate password manager - I use LastPass - it will override the Firefox settings and only display the crossed-through lock symbol.

It has nothing to do with the password itself, the warning is that the connection is not encrypted and therefore the password can be tapped from the wire in clear text.



#13 Lotus53B

Lotus53B
  • Member

  • 4,163 posts
  • Joined: March 10

Posted 24 March 2017 - 18:21

And having checked with Wireshark locally on my machine, and a quick scan of the IP logs on the routers at work, I can confirm that for the forums our usernames and passwords go through in plaintext. 

 

For me it's not too relevant, my username and password for the forums are unique, but some folk may use the same logons for all of Autosport - and I don't think that it is an unreasonable assumption for folk to make that they can reuse their logons, and that could expose them to some risk.  The worst that can happen to me is that someone could, fairly easily, subvert my forum account and start insulting other users, which would just save me a job.

 

For other folk, as I say, thay may assume that all parts of the site have the same security, reuse their password, and that could pose a risk.

Maybe, until security is rolled out ubiquitously, a sticky could be posted to indicate that since the forum is separate from the rest of the site, that a unique password would be the best idea.