No More Passwords over HTTP, Please!

152

Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.  See this post for more details.

Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP.

Username and password pairs control access to users’ personal data. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough.

Firefox Developer Edition 46+ shows a lock with a red strikethrough on non-secure pages that have a password field, while Firefox Release does include that additional iconography

How does Firefox determine if a password field is secure or not?

Firefox determines if a password field is secure by examining the page it is embedded in. The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker. The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:

      • Change the form action so the password submits to an attacker controlled server instead of the intended destination. Then seamlessly redirect to the intended destination, while sending along the stolen password.
      • Use javascript to grab the contents of the password field before submission and send it to the attacker’s server.
      • Use javascript to log the user’s keystrokes and send them to the attacker’s server.

Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.

Firefox has been alerting developers of this issue via the Developer Tools Web Console since Firefox 26.

Why isn’t submitting over HTTPS enough? Why does the page have to be HTTPS?

We get this question a lot, so I thought I would call it out specifically. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. As described above, active attackers can MITM an HTTP connection between the server and the user’s computer to change the contents of the webpage. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user’s username and password. The attacker then sends the updated HTML to the user. When the user enters their username and password, it will get sent to both the attacker and the site.

What if the credentials for my site really aren’t that sensitive?

Sometimes sites require username and passwords, but don’t actually store data that is very sensitive. For example, a news site may save which news articles a user wants to go back and read, but not save any other data about a user. Most users don’t consider this highly sensitive information. Web developers of the news site may be less motivated to secure their site and their user credentials. Unfortunately, password reuse is a big problem. Users use the same password across multiple sites (news sites, social networks, email providers, banks). Hence, even if access to the username and password to your site doesn’t seem like a huge risk to you, it is a great risk to users who have used the same username and password to login to their bank accounts. Attackers are getting smarter; they steal username/password pairs from one site, and then try reusing them on more lucrative sites.

How can I remove this warning from my site?

Put your login forms on HTTPS pages.

Of course, the most straightforward way to do this is to move your whole website to HTTPS. If you aren’t able to do this today, create a separate HTTPS page that is just used for logins. Whenever a user wants to login to your site, they will visit the HTTPS login page. If your login form submits to an HTTPS endpoint, parts of your domain may already be set up to use HTTPS.

In order to host content over HTTPS, you need a TLS Certificate from a Certificate Authority. Let’s Encrypt is a Certificate Authority that can issue you free certificates. You can reference these pages for some guidance on configuring your servers.

What can I do if I don’t control the webpage?

We know that users of Firefox Developer Edition don’t only use Developer Edition to work on their own websites. They also use it to browse the net. Developers who see this warning on a page they don’t control can still take a couple of actions. You can try to add “https://” to the beginning of the url in the address bar and see if you are able to login over a secure connection to help protect your data. You can also try and reach out to the website administrator and alert them of the privacy and security vulnerability on their site.

Do you have examples of real life attacks that occurred because of stolen passwords?

There are ample examples of password reuse leading to large scale compromise. There are fewer well-known examples of passwords being stolen by performing MITM attacks on login forms, but the basic techniques of javascript injection have been used at scale by Internet Service Providers and governments.

Why does my browser sometimes show this warning when I don’t see a password field on the page?

Sometimes password fields are in a hidden <div> on a page, that does not show up without user interaction. We have a bug open to detect when a password field is visible on the page.

Will this feature become available to Firefox Beta and Release Users?

Right now, the focus for this feature is on developers, since they’re the ones that ultimately need to fix the sites that are exposing users’ passwords. In general, though, since we are working on deprecating non-secure HTTP in the long run, you should expect to see more and more explicit indications of when things are not secure. For example, in all current versions of Firefox, the Developer Tools Network Monitor shows the lock with a red strikethrough for all non-secure HTTP connections.

How do I enable this warning in other versions of Firefox?

Users of Firefox version 44+ (on any branch) can enable or disable this feature by following these steps:

      1. Open a new window or tab in Firefox.
      2. Type about:config and press enter.
      3. You will get to a page that asks you to promise to be careful. Promise you will be.
      4. The value of the security.insecure_password.ui.enabled preference determines whether or not Firefox warns you about non-secure login pages. You can enable the feature and be warned about non-secure login pages by setting this value to true. You can disable the feature by setting the value to false.

Thank you!

A special thanks to Paolo Amadini and Aislinn Grigas for their implementation and user experience work on this feature!

Categories: Browser Security

152 responses {+}

  1. Simon wrote on :

    The one problem I have with HTTPS-everywhere is that it’s a pain in the neck to set up for internal systems like development environments. Servers certainly use SSL in production, but it’s too much hassle to ensure that it’s used for every short-lived system that I work on – servers that may only exist for hours…

    Reply

    1. Tim Bray wrote on :

      We used to think that.

      No we use letsencrypt certificates on all our demo and development systems.

      Reply

      1. Thomas Grainger wrote on :

        If you automate it once, it won’t be a pain

        Reply

      2. Pino wrote on :

        A Let’s Encrypt certificate requires a fully qualified domain name, and a lot of internal systems lack that. Instead, servers are accessed through a nonroutable IP address (such as one within 192.168/16) or an address in a made-up TLD (such as .local). Or do you expect each home ISP subscriber to buy a domain for his or her home network and keep it renewed?

        Reply

  2. Bjarni R. Einarsson wrote on :

    Hello! This is a fantastic step forward.

    However, can we have an exception for localhost? Using the browser as a front-end for a local web server is an interesting way to develop very compelling apps (disclosure: I work on Mailpile, which is such an app), and it’s not a scenario where HTTPS makes sense (or is even available – you can’t get a cert for localhost).

    Sorry if this appears both here and on hacks, I posted the comment there but it disappeared without any feedback from the site to indicate it was accepted or queued for moderation, or what.

    Please also excuse me if localhost is already exempt – I am assuming it is not because the console does print warnings and the post implies the code path is shared/related.

    Thanks!

    Reply

    1. Tanvi Vyas wrote on :

      You shouldn’t see this warning for localhost. The code specifically checks for localhost and doesn’t warn in that case.

      Reply

      1. Duane wrote on :

        I appreciate the need for security and these warnings, but as is the case of the localhost domain name should the warning also not be disabled for local non routable test IP ranges. At least it would be nice to have the option to disable the warning on local subnets.

        Reply

        1. Pino wrote on :

          Local subnets such as the coffee shop Wi-Fi that’s intercepting your traffic?

          Reply

      2. Gustaf Mossakowski wrote on :

        I am using the same development setup as Bjarni and I clearly can see this warning when accessing my computer via 127.0.0.1 or ::1. Might not be the case via http://localhost, but of course I do not want to work on only one website but several sites in parallel. So I set up e. g. example.com.local to point to localhost. Firefox is presenting me with the warning that the connection is insecure. Annoying.

        Reply

      3. Cliff wrote on :

        So why does http://dlinkrouter.local/login_pic.asp come up as insecure on Firefox 52.0.1?

        Reply

    2. Sandra Villarreal wrote on :

      I see Internet censorship is out of control. I’m not a cry baby, whining Democrat liberal that needs someone to tell me which information I may or may not want access to. So sick of this I’m cancelling internet service all together. It’s not worth the headache that you and the CIA run GOOGLE have created. Forget it. I’m all done.

      Sincerely,

      Reply

  3. Bart wrote on :

    This is really nice for us developers.

    I can’t wait until this feature is also enabled by default in the normal release. This makes it much easier to explain the necessity of SSL ot other non technical persons.

    Reply

    1. Thomas Grainger wrote on :

      TLS

      Reply

  4. Jim wrote on :

    Did Mozilla remove or rename this feature? I just re-imaged my computer and installed Firefox and I do not see security.insecure_password.ui.

    Reply

    1. Tanvi Vyas wrote on :

      security.insecure_password.ui.enabled still appears for me in about:config. What version of Firefox are you using?

      Reply

  5. Dee wrote on :

    How this hell could be switched off for certain pages? I have to use http://username:password@page for intranet pages and I want to decide by myself, what is secure, not to be forced by communists by stupid restrictions.

    Reply

    1. bugzilla wrote on :

      Exactly! Stupid group think.

      You should concentrate on providing a cleaner, better and faster product instead of cluttering the screen with this nonsense. What you guys have to realise is not everybody needs or wants to work in your narrow world view.

      Reply

      1. Musicalymia wrote on :

        I’m with you. This is trash. How about terrible web developers learn their craft better and adjust to their sensitive content as needed. This hand holding crap is ridiculous. Basically, because idiot developers can’t and won’t adhere to modern standards and give a dang about their customers products, now we get to have a big ole warning to scare off customers. Sweet. Thanks firefox.

        Reply

    2. bugzilla wrote on :

      It gets worse! Now Firefox 52.0a2 (2017-01-13) is saying (some) https servers are not secure – but only sometimes! – You couldn’t make this stuff up.

      Reply

      1. Pino wrote on :

        A document delivered through HTTPS is insecure if it transcludes “mixed content”, that is, script, style, fonts, images, or iframed documents from a URL with an insecure scheme. A form delivered through HTTPS is insecure if the form has an “action” URL with an insecure scheme.

        Reply

    3. Pino wrote on :

      1. Ensure that page is a fully qualified domain name, not an IP address, a bare hostname, or a hostname in a made-up TLD. If not, buy a domain and make it so.
      2. Obtain a certificate for this hostname from Let’s Encrypt using the Dehydrated client.
      3. Set up HTTPS on page.

      Reply

    4. James wrote on :

      “Forced by communists”! Ha ha ha. You nutter.

      Reply

  6. 2fe2fff wrote on :

    Just fixed using this font password https://github.com/Mottie/input-password-bullet

    I will be not buy extra server to Mozilla felt better, ssl are only used on my vebiste when login oraz register send by ajax.

    ps web developer tools is not a firebuq is not even chrome dev tools where is switched

    Reply

    1. Pino wrote on :

      How can you be sure that third parties aren’t intercepting “login oraz register send by ajax” requests?

      Reply

  7. peterpux wrote on :

    Warning now shows up every time I try to connect to my router, my repeater, my home management system, etc. though I am not going via the internet. Anything I can do to avoid that???

    Reply

    1. Pino wrote on :

      The web browser can’t tell the difference between your LAN and a malicious hotspot in a coffee shop.

      Buy a domain for your LAN, obtain certificates for each device on your LAN from Let’s Encrypt through the Dehydrated client,* install these certificates onto each device on your LAN, and configure each device on your LAN to accept HTTPS connections.

      * You have to use Dehydrated instead of Certbot because Certbot supports only the HTTP challenge, which in turn supports only publicly visible servers. Dehydrated also supports the DNS challenge, which works with hostnames in the public DNS tree even if the hostnames refer to servers on a private network.

      Reply

      1. No wrote on :

        Do you really think that doing this:

        “Buy a domain for your LAN, obtain certificates for each device on your LAN from Let’s Encrypt through the Dehydrated client,* install these certificates onto each device on your LAN, and configure each device on your LAN to accept HTTPS connections.”

        is the best solution to avoid a warning message for the login page of the router’s firmware?

        It’s a ridiculous recommendation to relay on a third party service and “open” your LAN just to have https between your browser and your router…

        Reply

  8. manuel wrote on :

    en español por favor……y varios idiomas

    Reply

  9. Molemo Molai wrote on :

    I cannot connect to this site even though it is https. I’m launching it from http://standardbank.co.za and I get this error message “Secure connection failed”. I do not even have the “Advanced” button to bypass the error message.

    Reply

    1. Liam wrote on :

      “Advanced” is used to override a warning, not push through on something that has failed. It can’t the connection is simply failed. Sounds like your network connection isn’t allowing TCP/443, SB is not responding to TCP/443, or is experiencing a protocol error.

      Reply

  10. Neal T wrote on :

    Great, when I do the crossword it thinks I am filing in a password and keeps giving me a warning

    http://www.universaluclick.com/puzzles/crosswords

    Reply

    1. Mary T. wrote on :

      Same thing at http://puzzles.usatoday.com. Be a pity if I have to turn off this feature just to do a crossword puzzle.

      Reply

  11. Maave wrote on :

    Thanks for leaving the about:config pref. I have to deal with HTTP and self-signed certs daily so it’s convenient to disable that on my work profile.

    Reply

  12. bluebolt wrote on :

    Is there a way to disable this warning in Firefox 52.0 ESR?

    Reply

  13. Miki wrote on :

    I would like remove the SHITTY remainder that my connection is insecure.

    Reply

    1. MattN wrote on :

      Go to about:config and set `security.insecure_password.ui.enabled` to false.

      Reply

      1. Tony wrote on :

        I’ve set security.insecure_password.ui.enabled false but I still get the nags.
        In addition to localhost, I’d like IP numbers that resolve to the same computer also to suppress the nag.

        Reply

  14. Andrew Joseph wrote on :

    Is there a way to remove this for HTTP intranet sites?

    Reply

    1. MattN wrote on :

      No, because it’s still insecure. Anyone on the network could get your submitted login info or man-in-the-middle you. Intranet sites using fully-qualified domain names can get free certificates from Let’s Encrypt.

      Reply

  15. Lee Thompson wrote on :

    Overall this is a good idea, however, for developers, testing and intranet use it’s annoying.

    However, a suggestion (and these can go into the about:config options, don’t need to be in the main UI) that could be a good solution without undermining the effort.

    security.insecure_password.exception_ranges = (IP address or range notation)

    Examples:

    security.insecure_password.exception_ranges=192.168.0.0/24
    security.insecure_password.exception_ranges=192.168.0.0/24,192.168.5.1-192.168.0.5.3
    security.insecure_password.exception_ranges=127.0.0.1

    Reply

    1. MattN wrote on :

      Hi Lee,

      In case you didn’t notice you can disable the warning altogether with `security.insecure_password.ui.enabled`. If developers want it on for non-development work I would recommend a separate Firefox profile for the development work which has the preference off.

      Reply

  16. Michael wrote on :

    On a daily bases I login to about 30-35 websites…..without any problem, since the passwords have been saved by FF. But the fun is over, it seems!

    Now I find this annoying and insulting message telling me the connection is not safe (come on peeps, I finished 3rd grade long time ago)

    Why is it so hard for developers to understand that most people don’t give a blast about insecure connections. Please FF, stay cool, stay clean…don’t do what all the nurds do: just work FOR me, not AGAINSTme!

    Ow and while you are working hard on removing this annoying feature during the next update, kindly also cancel that bar where that keeps on asking me if i want to SYNC with my smartphone…… talking about security 🙂

    Reply

    1. Johann wrote on :

      You can remove it yourself by setting this pref to false: security.insecure_password.ui.enabled

      Setting signon.autofillForms.http to true will get you autofill on insecure websites back.

      This is not recommended. At the risk of sounding insulting again, you underestimate the threat here and might want to read up on password sniffing. Please make sure that you do not re-use passwords when ignoring this warning.

      Reply

  17. Bob wrote on :

    Need to be able to have a list of sites where this is turned off, similar to the pop-up blocker exception list. I have sites behind our company firewall, accessible only by users who are logged in to the internal network. To then be blocked, or to have to provide certificates for every internal, non-public facing server is ridiculous at best.

    Reply

    1. MattN wrote on :

      Hi Bob,

      This feature doesn’t block any access to the site, it’s only providing a warning. You’re assuming nothing/nobody on the internal network is malicious which is a bold assumption to make. Perhaps a wild-card certificate would make it easier for you to deploy HTTPS within your intranet if you have many subdomains.

      Reply

    2. es1999 wrote on :

      I agree there should be exception option to this warning. I log into intranet sites continually. The warning box blocks the buttons below it so I have a couple more key entries. Adds a couple seconds to log in which adds a lot of time when you log in all day.

      Reply

  18. JackAttack wrote on :

    How can I remove this warning from my site?

    Put your login forms on HTTPS pages.

    Really ?!?!?! We need tutorial !!! !!! !!!

    Tutorial search : zero result :
    https://openclassrooms.com/courses?q=tsl

    So my website will be unsecure forever ??? unless I pay $$$ for a specialist ? Bravo Open Source…

    ^^angry

    Reply

    1. MattN wrote on :

      Hello JackAttack,

      Certificates are free from Let’s Encrypt (co-founded by Mozilla and EFF). There are good instructions at https://certbot.eff.org/

      Reply

  19. Brett wrote on :

    Submitting passwords over a non encrypted connection is a minor security issue, kind of like entering your PIN at a ATM without covering the keypad, so I guess this is an ‘ok’ update (though there are many more important things that could be focused on) .. however I dont see any option to turn off the in window pop ups. These are very lame and lead to an extremely poor user experience. They should show once per domain, with an option to not show again.

    Just a thought here, but if you spend more time making a good browser and less trying to be everyone’s babysitter (or even worse their ‘big daddy’) you might get the kind of market share you once enjoyed back.

    Reply

    1. Johann wrote on :

      You’re severely underestimating the threat of compromised credentials to the average user. Without HTTPS it is very easy for anyone who can read online tutorials to steal your login data, but rather hard for any kind of user to verify that there is no man-in-the-middle on a network.

      Contact the website owner to upgrade to HTTPS. They can easily use Let’s Encrypt for free.

      You can also globally turn off the warning by setting this pref to false: security.insecure_password.ui.enabled

      Or just ignore it, you know.

      Reply

      1. Brett wrote on :

        Every time you hand your credit card to a waitress you risk the waitress writing down your card info and buying things online with it. But someone does not pop out of thin air each time and issue me a warning. Even if it was possible it would be idiotic and annoying. Tell people something once and let them chose the level of risk they are comfortable with. Dont be a jerk about it.

        Reply

        1. MattN wrote on :

          Most countries that use credit cards got rid of giving credit cards to random employees years ago due to all the fraud. The consumer inserts their own card into the CHIP terminal and in most countries enters a PIN to prove that the cardholder approves. Sometimes technologies/workflows change to improve security… in the case of this warning it’s getting HTTPS setup on servers which is now free and easy.

          Reply

          1. Brett wrote on :

            Most product creators respect their users enough to allow them to disable ‘features’ that they dont want. Guess what happens to those that do not? Ill tell you, but you should know it very well (because its been happening to FireFox) for years… people stop using their product.

            After reading your responses to people I can see one major theme here, your so obtuse and hubris that you seem to think users should adjust to your opinion instead of having the freedom to have their own so there is no point in arguing with someone who lacks the capacity to accept that they might have made an error.

            Fortunately I can take solace in knowing that your every decreasing user base is making FireFox less and less relevant every day.

  20. Fiona Jenkins wrote on :

    This is awful–I get a warning when I try to log in to my foreign e-mail account. Why in heaven’s name can’t I disable this feature. If I can’t, I’ll never use Firefox again!

    Reply

    1. MattN wrote on :

      Have you tried contacting the email provider to switch to a secure connection? It’s free and not very complicated nowadays.

      Reply

      1. Robert Tulloch wrote on :

        Won’t back down will you

        Reply

  21. Robert Tulloch wrote on :

    Hi:

    My login process uses a normal http response containing an iframe
    which calls the login form from an https cgi script.

    Log in form dynamically created by the CGI script.

    Why is this process popping up the insecure warning?

    If you look at the source in the iframe you will see the mechanism to encript
    the username password in addition to the https connection.

    Would like some feedback ASAP. Working on site currently when the insecure warning popped up

    Reply

    1. MattN wrote on :

      If I understand correctly, you’re talking about an HTTPS iframe embedded in an HTTP page? That’s still insecure as an attacker can just replace the top-level page. Make sure the login form document, all ancestor frames and the form action are all using HTTPS.

      Reply

      1. Robert Tulloch wrote on :

        I think it is secure. Except of course with keystroke capture. Nothing is secure with that.

        I send the loging form (iframe form) with encryption information that is used to create and encrypted logon string. The server which sent the encryption information to the client uses the same information to produce an encrypted string based on a users known username/password then compares that to what what received from the client. If equal, the client is logged on. Where is this insecure?

        Reply

      2. Robert Tulloch wrote on :

        I am so sick of that stupid little security message popping up over my login stuff. This is a hideous BS change.

        What problem are you solving and what is the real historical basis (stats) for this inconvenience? It is a rea; turn off.

        Reply

      3. Ben wrote on :

        Hi, we’re facing the same issue, our main website is delivered via http, the login form is inside an iframe (that means, the form html elements and the action), which is fully https enabled. Unfortunately firefox marks our login field now with this unsecure warning.
        Matt, you wrote: “That’s still insecure as an attacker can just replace the top-level page”
        Of course, but how can that new top level page get the information from the secured iframe (from a different domain)? Remember, even the form elements are inside the secure iframe.

        Please Mozilla, think about it.
        Ben

        Reply

  22. Adam wrote on :

    Password reuse is a user problem, not a developer one. Mozilla is basically forcing every non-SSL site with a form input to use their certificate authority so that their browser doesn’t act like a dufus to the general public.

    Why not go all out and issue warnings like:

    “The entered password is vulnerable to brute force attacks, and does not meet Mozilla strength requirements. Tell the website owner to switch to using 16-character passwords.”

    “For security, Firefox has logged you out of all websites due to being idle for 5 minutes. Tell the website owner to use idle checks to keep you logged in.”

    “This site contains JavaScript which can be abused to do malicious things. Tell the website owner to submit their script files through Mozilla for review and an approved signature.”

    “This site is insecure: it’s an online store, and the seller may take your money without sending you a product. Tell the website owner to register with a Mozilla-approved Business Bureau.”

    “This site is insecure: someone may look over your shoulder while you type your password and display sensitive information. Install a Mozilla-approved blank-key keyboard and privacy screen.”

    “This site is insecure: it allows you to post content, which may be monitored by your ISP, and may be stored on a server to be used in malicous ways by the site owner. Tell the owner to remove all form inputs.”

    “This site may contain false information. Tell the website owner to link to appropriate peer-reviewed data.”

    “Firefox has detected AdBlock, which has been disabled to promote ad-supported websites.”

    “Firefox has limited the media audio volume to 50% and playback time to 5 minutes, to help prevent long-term hearing damage.”

    “Warning: Firefox could not verify that you are not using this website while driving.”

    Clearly Mozilla is gravely underestimating the severity and widespread nature of the above issues. Firefox needs several more scary warnings and “Get me out of here!” buttons.

    Reply

    1. Gary Herbstman wrote on :

      LOL!

      Reply

    2. Pino wrote on :

      Of these suggestions, I can see Mozilla implementing only one: “Tell the website owner to switch to using 16-character passwords.” Redbox’s password form specifies maxlength=12, which is way too short for a “correct horse battery staple”-style Diceware password.

      “This site contains JavaScript which can be abused to do malicious things. Tell the website owner to submit their script files through Mozilla for review and an approved signature.”

      Are you referring to extension signing? Chrome Web Store is even more restrictive than AMO’s automated signing in this respect, imposing censorship of certain functionality even if an extension is unlisted. Or are you referring to something like LibreJS, which blocks execution of scripts that do not declare a machine-readable free software license?

      “This site is insecure: it’s an online store, and the seller may take your money without sending you a product. Tell the website owner to register with a Mozilla-approved Business Bureau.”

      Comodo has done exactly that. Its IceDragon browser, based on Firefox, warns the user when a site uses a domain-validated certificate instead of an organization-validated one.

      “Firefox has detected AdBlock, which has been disabled to promote ad-supported websites.”

      Won’t happen any time soon. In my experience, Firefox Tracking Protection blocks most ad networks because they track users from one site to another, and ad networks are too lazy to replace ads blocked by Tracking Protection with alternate ads that do not track the user.

      Reply

    3. Grant wrote on :

      Absolutely correct… Also, have you noticed that Mozilla itself uses third party javascript that they blindly foist on us (from lithium.com, google-analytics.com and netdna-ssl.com). If you weren’t running an addon like noscript it would just automatically execute without your knowledge or active consent. Why don’t they fix something like that rather than cause us all grief over an issue that should be left to us (developers)? If my sites needed to be that secure I would already have done so. Now my clients get the notice that their website is not secure and they don’t really understand the issue. It just scares them for no reason.

      Reply

  23. Andreas Hofer wrote on :

    Sometimes I feel the people driving the technology are lacking imaginativity for other scenarios. They only see big webservers running shopping carts and the like. But the technology opens many more exciting possibilities.

    We are building small embedded industrial devices with a tiny embedded web server for the user interface. These devices will always only be used in an intranet. We need some limited capability to restrict access to the settings, but a simple username/password is absolutely sufficient. No fear of a man in the middle. Just prevent the simplest users in their daily work from accidentally changing problematic parameters. Adding SSL and handling certificates would be a burden for this device. Being able to offload the user interface to a tablet, mobile or a notebook running JavaScript is a great way to get a good user experience. In our use case, it is annoying to see a security warning.

    Reply

  24. Jorge Banha wrote on :

    I used Firefox for internal entreprise web aplications. Now all of them are insecure (???) and that stupid warning is always there. Its Annoying

    More, because ending with java suport, everything i do in my job have to be done using IE… It’s a pity. I loved Firefox and hate IE, but i have to return to IE…..

    Reply

  25. bluebolt wrote on :

    To rid yourself of the warning nag, use about:config to set this line to “false”:

    security.insecure_field_warning.contextual.enabled

    Reply

  26. DavidGB wrote on :

    This is infuriating. A site I use, visiting several times daily, with an HTTP login page. Before: bookmarked login page opens with (saved) username and password fields populated, I just click once on the OK button. Now: login page opens with unpopulated username and password fields, I have to click once in either password or username filed to get the insecre lgin warning, click again where my username is listed at the bottom of the warning to populate the username and login fields, then click a third time on the OK button, EVERY TIME.

    I get it. It’s an insecure login. I know that. I knew that. I don’t use that password for anything else, and this is not a logon where someone stealing it could defraud me money or anything. i GET IT. But there’s nothing i can do about it. This would be irritating enough to get this every time anyway, but I’m also disabled, every movement hurts, concentrating hurts, and HAVING TO CLICK PRECISELY IN THREE DIFFERENT PLACES INSTEAD OF ONE IS EXTRA PAIN – EVERY TIME.

    Where is the button on the warning to ‘Don’t show this warning again on this site’? How the hell was this planned and released without n option to turn it off, per site, after first showing of the warning on a site?

    This is not at all trivial for me. And even turning it off globally in about:config setting security.insecure_password.ui.enabled to false (and the security.insecure_field_warning.contextual.enabled to false as I presume that’s why I kept getting the warning popping up every field, getting in the way, intercepting clicks not meant for it and opening explanatory pages multiple times while i was trying to register for a web forum,) it STILL changes things to three clicks in different places rather than the old one, because the page still loads with the username and password fields unpopulated, so it’s still click in username field to get a list to pop open with the username in it, move pointer and click on the username in the list to populate the fields, then move pointer again and click on the OK.

    So ‘disabling it’ does NOT restore the previous behaviour of the page opening with the fields populated, and STILL requires three precise moves, three clicks instead of one WHICH COSTS ME PAIN.

    Thank you so, so much for actually considering nobody else’s use of the internet but yours.

    Given that I originally moved to Firefox from Chrome when Chrome dropped NPAPI, because most of my favourite US TV shows were only available to me via one UK provider that required Silverlight to stream on demand programmes … and it STILL requires Silverlight to stream those shows, Firefox 52 has turned Firefox from the best browser to complete junk for me, unable to perform my single most important use because no Silverlight, and causing me extra time, clicks and pain on other sites that are important to me because of this changed It’s-not-HTTPS behaviour. Time to find another browser … which will mean lots of clicking to research, install, configure and equip, and therefore a lot more pain. Thanks a bunch for ruining this software for fancy theoretical reasons for the internet you’d like that ignore how the internet actually IS and the use people need to make of it.

    Reply

    1. Qui Gonn Jimm wrote on :

      THANK YOU! I couldn’t have said it better.

      “So ‘disabling it’ does NOT restore the previous behaviour of the page opening with the fields populated, and STILL requires three precise moves, three clicks instead of one WHICH COSTS ME PAIN.” —- PAIN IN THE ARSE!

      Reply

      1. MattN wrote on :

        You need to also set signon.autofillForms.http to true if you want to autofill the login on insecure forms. I wouldn’t recommend this though.

        Reply

  27. angrygod50 wrote on :

    This feature is stupid and annoying. Why do you feel the need to clutter up a nice browser with more and more features that piss off users and slow things down. At least give us the option to turn this POS off in the options menu. I’ve supported Mozilla for decades but I’m ready to switch to something else.

    Reply

  28. venier wrote on :

    Sorry, I’m stupid, I want to be stupid, let me be stupid.
    Do not try to take me by the hand like a baby.
    I’m stupid, not a baby.
    Leave a stupid way to disable this option.
    Thanks for listening (or not)
    🙂

    Reply

  29. peter wrote on :

    I AM 74 YEARS OLD AND NOT COMPUTER LITERATE, NOW CAN NOT USE MY HOT MAIL, WHICH I HAVE USED FOR TEN YEARS !!!WHAT DO I DO NOW????

    Reply

    1. MattN wrote on :

      Hi Peter, this change shouldn’t have stopped you from using Hotmail, it only added a warning and if you had a saved password it should still be accessible in the autocomplete dropdown but not auto-filled. I also don’t believe Hotmail uses an insecure form so I think you’re seeing a separate issue.

      Reply

  30. jane wrote on :

    good

    Reply

  31. peter wrote on :

    Got my HOTMAIL back but was forced to use another browser .Sad I have been very happy with FIREFOX for the last eight years, forced to move???

    Reply

  32. Jardin wrote on :

    It might have seemed like a good idea, but you need to be able to turn it off for selected sites or domains.

    Many of our internal sites require a password – not for security, but because the designer (not us) thought someone might want it secured. We don’t need it secure – it’s read access only and the password is QWERTY. No one needs to phish for this password. If you’re on our network, you have (read) access. Config is done via ssh and other secure tools, not by http/https. And no one sensible is going to ‘re-use’ this password, except where we re-use it for exactly the same reason – we don’t need that level of security.

    Our file system contains tons of documents that all have read access without encryption. We don’t tell the user that our network isn’t encrypted every time they access a folder – why should we have to badger them every time they access an internal web-site over the same network?

    We really don’t need the mozilla foundation telling us how to run a business, or increasing the cost of our data by requiring https for artificial reasons. It would be somewhat better if Let’s Encrypt wasn’t so babyish about certificates that only last 90 days. This is not a zero cost improvement, and it isn’t always going to improve security.

    An example of how this can compromise security: If all browsers suddenly required https like mozilla, we would simply provide users with an home-made app to read the internal pages they want. Then, no doubt, some idiot user will use our ‘cut down’ browser to access an external site of an unsavory nature, and bang, we’ll have a virus.

    We like the security a modern browser brings to our network, but it has to be under our control. Part of network neutraility is not letting the facists tell us how to run the network.

    Mozilla – you are better than this.

    Reply

    1. Pino wrote on :

      Why can’t you set up a cron job to run Dehydrated every 2 months and renew the certificates?

      Reply

      1. Paolo wrote on :

        I am a web developer from before your birth, probably.
        Lately I have switched to common CMS like WP, Magento and the like.
        My clients have their domains in dozens of different ISP, many of which don’t permit cron jobs.
        When they login to their admin zone, my clients are been told their site is insecure.
        Thanks a lot for this great addiction to my once preferred browser…

        Reply

  33. Alex Haan wrote on :

    Oh, also an issue (don’t have access to my bugzilla account here): If the password-form fields are small, you don’t see the complete message. As the notification ‘popup’ seems to have the size of the input you focus.

    Reply

    1. Pino wrote on :

      If the password form fields are small, the site operator probably doesn’t expect the user to use a password that’s long enough to be secure. So if you do file a bug once you get back to the machine with your Bugzilla or GitHub credentials saved, I can easily seeing that bug being RESOLVED WONTFIX.

      Reply

    2. MattN wrote on :

      Hi Alex, we are tracking this issue in https://bugzilla.mozilla.org/show_bug.cgi?id=1330731

      Reply

  34. greg wrote on :

    well thank you mozilla for help me to be safe IVEN WHEN I HAVEN’T ASKED FOR!!! How do I SWITCH THIS F…G THING OFFFFFF??!!!!! Stop helping peoples who DON’T need help.

    Reply

  35. Benjamin Miller wrote on :

    Please disable this feature on the latest version of firefox or let us have the option of setting up a expectation list cause most of the sites i am going to i have been using for years and know they are safe now it take me 3 clicks to get into them. Which is a major PITA.

    Reply

    1. MattN wrote on :

      If you’re seeing this warning then your connection during login absolutely isn’t safe (barring any bug). You should contact the sites to setup HTTPS which is free and easy nowadays and that will improve security for all their users.

      Reply

      1. Brett wrote on :

        What MattN is saying in a very nice way is that Mozilla does not care about there users enough to give them the option to disable a feature they dont want.

        Reply

        1. MattN wrote on :

          Not at all, only a minority of users change settings so if it truly is such a bad feature for the majority then adding a toggle isn’t the right solution. It’s also hard to give users a toggle about security indicators when many users won’t understand the security implications. Advanced users already have the toggles in about:config so we don’t need to add a UI toggle for them. We’re listening to feedback but weighing it against the benefits. Please consider non-advanced users in your proposals.

          Reply

          1. Paolo wrote on :

            The vast majority of the users IS NOT CAPABLE of finding and changing 3 paramethers in the about:config to stop this behaviour, you geek!

            about:config
            security.insecure_password.ui.enabled => false
            security.insecure_field_warning.contextual.enabled => false
            signon.autofillForms.http => true

  36. Thomas A. Fine wrote on :

    The problem here is that you are making CONTENT-based policy, but you are NOT the content creator.

    All the complaints above, all the use cases you didn’t think about should show you that you screwed up on this one.

    It’s also frightening that you seem to know so little about how computer security actually works. Policy decisions MUST BE made locally. Global security policy decisions always lead to a great many corner case failures as noted above. It also leads to a false sense of security, and a predictable new set of exploits for hackers as the masses are herded into ever-more vanilla security practices.

    Your one-size-fits-all security policy does not fit all. Security, by definition, can not be centralized.

    Reply

  37. Bob G wrote on :

    As long as we can still use it without https. There are applications that are never meant to go beyond the local internal network that will never use https and have password fields. These are 3rd party apps that will not ever change.

    We have also run into problems with firefox and old certificates that were self generated on appliances and cannot be changed. These are older hard devices that use a web configuration and are cannot be updated nor easily replaced.

    These nice ideas of https everywhere is nice but breaks down when faced with real world apps. Much the same as chrome found out when java refused to budge on the api. Many apps will continue to use java apps and will NOT change them.

    Reply

  38. ken wrote on :

    Ya, thanks mom. thats great, a stupid warning now for all my sites that have no real sensitive information to protect. Now I get this stupid warning every time I login. you clowns.

    Reply

    1. ken wrote on :

      Find something better to do, like make Firefox not be so damn slow when starting up. I see it slowly paint icons for extensions, and I have to wait like 5 seconds before I can go to a web site. But thats not important, were going to care about “password reuse”. A problem that can’t even be solved. You morons.

      Reply

  39. peter wrote on :

    NO MATTN ON some sites I get a drop down .But on HOTMAIL it get a grey padlock with a red line through it and it will not open up!!!regards Pete!!!

    Reply

    1. MattN wrote on :

      Are you sure that the lack of login suggestions on Hotmail is new in Firefox 52? That may be an separate issue.

      Reply

      1. peter wrote on :

        Hi Mattn! Yes it just started about three weeks ago one site entry closed me out,and about two weeks later the final site entry failed. I get the whole screen full with just unsecured connection on it !!. No small drop down on HOTMAIL at all, Unlike this site I am using to get to you now!! I can get into HOTMAIL ONLY USING OTHER BROWSERS!!! Regards Pete

        Reply

  40. John S wrote on :

    Yes – it’s very good to make such security locks – but they will help – what do the people who have an ordinary WordPress block – yes we are of course looking for other browsers –
    I believe that Firefox shoot themselves in the foot with this update – and will go from being one of the largest to shrink to nothing
    How about making a safe ‘when browsing’ instead of destroying people’s experiences on the net !!
    I can recommend browsers such as chromium
    John

    Reply

  41. http://twitter.com/uber_waw wrote on :

    Zasiłek wyrównawczy stanowi różnicę między przeciętnym miesięcznym wynagrodzeniem ustalonym
    według zasad obowiązujących przy obliczaniu podstawy wymiaru zasiłku chorobowego, a miesięcznym wynagrodzeniem osiągniętym za pracę w warunkach rehabilitacji zawodowej.

    Reply

  42. Carl wrote on :

    Sorry. I am tired of FF telling me what I can and cannot use. Time to move else where.

    Reply

  43. Al wrote on :

    How do i remove this annoying insecure password warning!!

    Reply

    1. MattN wrote on :

      As explained many times on this page: you can go to about:config and reverse the preferences security.insecure_password.ui.enabled and signon.autofillForms.http

      Reply

  44. Dick Metcalf wrote on :

    Is there NO way to turn this OFF? My users are complaining that they are unable to see my content… on a page that requires NO sensitive information!

    SO – do you have a FIX, other than https:// that will allow users to UNBLOCK this feature?

    Reply

    1. MattN wrote on :

      If the page has a login form and passwords are sensitive (since users can re-use a password from a more sensitive site) then that means the page is sensitive.

      As explained many times on this page: you can go to about:config and reverse the preferences security.insecure_password.ui.enabled and signon.autofillForms.http

      It would be much easier to setup HTTPS so that the login form is secure though.

      Reply

      1. steve heller wrote on :

        This ‘solution’ doesn’t work. I still get the warning on my home network, which I don’t want.

        Reply

      2. michael smith wrote on :

        It would be much EASIER if y’all would remove this feature entirely, or LISTEN to the people who have been critical of this feature and adapt to what WE actually need. Your arrogance, Matt, in your responses have been very off-putting. I’ve used Firefox for years, but I’m dismayed at how user UN-friendly y’all have become. I design primarily WordPress websites for small businesses whose knowledge of the workings of the internet is minimal and since I’ve been recommending Firefox to them I’m now concerned that they will now think that websites I design for them for them are insecure when they actually are not insecure at all. Wordfence and WP-SpamShield gives them all the security they actually. So they DON”T need this annoyance whenever they want to log in and post something to their blog. I guess I’ll have to recommend they change browsers as my clients wouldn’t know a cron job from con job.

        Stop being so self-righteous and arrogant. Thank you in advance for that.

        Reply

        1. Paolo wrote on :

          Same problem for me too.

          Reply

  45. Graeme wrote on :

    While I appreciate the reasoning behind the change, there should be the option to disable it for specific sites, e.g. home network devices that don’t support HTTPS for there management. Without this, firefox is broken.

    I know I could disable this feature totaly, but I appreciate having the feature active, but I want to be able to disable/by-pass it for specific sites only.

    Reply

  46. Ken wrote on :

    i want to switch this damned thing OFF. I didnt ask for it and dont want it.it is now causing me extra work on sites that i have used safely for many years.

    Turn the damned thing off or allow an option to do so ourselves

    Reply

  47. Jack wrote on :

    This has screwed up so many of my saved porn passwords that have fake email addresses. Because of this feature it no longer enters saved usernames and passwords. Give me an option to turn it off so I don’t have to revert to Safari…

    Reply

  48. Mike wrote on :

    Congrats for making Edge look attractive….

    Reply

    1. Musicalymia wrote on :

      Haha, ain’t that the truth. Thank goodness my web customers largely use IE and Edge still.

      Reply

  49. Kelly wrote on :

    I’m sick and tired of Mozilla thinking its job is to force websites to toe its line and enable its prefered methods of security.

    THAT is NOT mozilla’s business. It’s My business as the browser user and the website’s business.

    I want that grey lock garbage disabled from my browser, and I want it disabled now. Mozilla is getting worse in a lot of ways than Microsoft and Google put together and I’m exceedingly tired of it.

    I do not need to be nagged, nannied, and babysat on the net. I KNOW things are insecure. But I’m also quite old enough to take care of my own security. I do NOT need Mozilla to try to do that for me. They’ve overstepped their bounds a lot recently and this is the last straw. The next thing you know, they’re going to be deciding what plugins you can or can’t install because they think those plugins might not be good for you.

    IT’S NOT MOZILLAS JOB!!!!

    Idiots.

    Reply

  50. Ray wrote on :

    This is just like the NANNY State we live in but now it is the NANNY Internet. I have no issue with Mozilla developing the feature, but when it is forced on everyone regardless of their desire or need it taking it too far. Believe it or not, some of us understand what we are doing and have reasons for not requiring secure logins. I agree a number of others out here, maybe it is time to look for another less intrusive browser or at least one that provides options and not mandates (ya know take it or leave it concepts).

    Reply

    1. MattN wrote on :

      I have yet to hear a valid, non-malicious reason (other than the small amount of effort) for intentionally not wanting secure logins. Can you please explain your reason so we can take it into account? You can even use a self-signed certificate to get rid of the warning if you’re fine with that warning which you can add a permanent exception for.

      Reply

      1. bluebolt wrote on :

        Every unnecessary feature adds just a “small amount of effort” over and over until it adds up to “lots of effort” with no benefit. Wrong direction.

        Reply

      2. PETER wrote on :

        Hi MATTN At 74yrs and not computer literate it takes (lots of effort) to sort this out. I have been quoted by the local I T expert $100 – $150 to come round and fix this mess I have made trying to sort this out myself.. There is a whole generation of pensioners like me who have no idea what a (self singed certificate ) IS .I did a pensioners comp course for a few weeks with a teacher who knew very little who showed us how to use hotmail and that’s it .Keep in mind there is a huge amount of people like me out here and we are all your customers . regards Pete.

        Reply

      3. Dave wrote on :

        My opinions: Diminishing online safety is threatening to make the Internet unusable. I have been using a computer since the late 1960’s and have worked in pretty much every job you might think of in this industry, including the ones where I had to check in on multiple computer systems multiple times per day to make sure that they were working correctly. Now I would like to be able transition away from having to know all the technical details and just use the tools. However, in my opinion we are still in the dark ages of computing. A long history of design expediency has given us an environment where scammers can prey on uninformed users who really have no choice but to use the technology. It is in our own interests to apply our understanding of the risks and shortcomings to at least “narrow the scoring area” for fraudsters. As technology continues to evolve we too will eventually become (relatively) less informed and more likely to be victims of internet shortcomings. I arrived on this thread in an early morning effort to understand where the warning was coming from. I applaud the effort to partially close this vulnerability. Now if we could only make the certificate stuff (and lots of other things in computing) simpler to use and understand (or even automatic) it would undercut the “establishment” view that the existing, expedient approaches (e.g. unencrypted communication) are unavoidable and should be preserved.

        Reply

      4. Andreas Hofer wrote on :

        > I have yet to hear a valid, non-malicious reason (other than the small amount of effort) for intentionally not wanting secure logins.

        It has been mentioned in several comments:

        *** Embedded devices in the local intranet. ***

        Not so easy to add https, troublesome to manage certificates for them. Not a small amount of effort, if possible at all.

        Why do they need password entries? To protect ordinary users from entering the “advanced settings” page. No big security needed, just not leave the door wide open.

        We adopted the great new technology. A simple web server in a small embedded device that can barely do more than serving static files to the browser and preparing its data as a json string is all that is needed. Using Angular2 we can make a really great user interface in the browser.

        Using a password entry field felt natural, but there are other possibilities, like presenting a numeric key pad for entering a code. But the direction this is going makes us worry…

        Are on the wrong way? Will it be possible in the future to serve files to a browser from a simple embedded device via http? Will there be a day when broswers start to refuse http completely, because “No one can see a valid non-malicous reason why anyone would want to serve content via http”

        Reply

  51. Prakash wrote on :

    Out of the blue, firefox decided that it would prevent login to an external site that I have no control of. I dont care if every one knows my password. It is only a data site and I can always use some xyz123 type password for the website.

    Preventing a loging and not providing a workaround is really a pain, and a draconian measure. Stop being so troublesome.

    Reply

  52. panin29 wrote on :

    How do I file a bug report on this “improvement?”

    This “feature” is causing my login on a secure company VPN to fail. I’m VPN’d in. The http:// address should work just fine.It always has before. I’m already protected.

    For four days it was a nagging message and I could still log in quite safely, to the htpp:// address with my secure VPN connection in place. Now, it won’t let me log in at all. This is outrageous.

    How are you going to handle complaints like this from hundreds of business users who log into their companies from offsite using a secure VPN connection? Did you not think of this very common situation before you added this so called “improvement?”

    Reply

  53. Grace wrote on :

    I am not worried about putting my password on this site as it is a one time thing.

    Reply

  54. Grace wrote on :

    I am not worried about putting my password on this site as it is a one time thing

    Reply

  55. Harald Demmer wrote on :

    It´s a bit silly that this comment about insecure website appears when I Iogin to my internal fritz.box system. This will never be a https-website, it´s not a website at all. I wonder if anybody could see my special fritz.box-password outside of my (also with a special password protected) wlan. I do ignore the comment in this case. Sorry for my bad English.

    Reply

  56. Ivan wrote on :

    Bye Bye Mozilla, such a great tool has become useless because its developers are a bunch of tools. You deem sites such as NFL.com and ESPN.go.com as unsecured connections – laughable. I am tired of you forcing what you consider “technological advances” that may work in your IT world but here in real life it adds another level of frustration to everyday people. Going back – sigh – windows after so many years.

    Reply

  57. steve heller wrote on :

    This is VERY ANNOYING when I log into my router’s web page. It is not accessible from outside my network, being a 192.168.xxx.xxx address, so why am I being subjected to this nuisance? You should be clever enough to exclude non-routable addresses from this check.

    Reply

  58. Maire O’Donohoe wrote on :

    Appreciate the good intention! Thank you.

    Reply

  59. Philip Clayton wrote on :

    I am sick of not being able to save password because of this stupid system. I have an account that has been in use for 12 years and nobody has ever hacked it. I use it for betting on horses and EVERY single time I go to the page I have to go through the entire process of loohing on again. I DON’T WANT TO. Firefox is screwing up my personal computer. If I want sites to remeber my details and login password that should be my choice, not yours.

    Reply

  60. satheesh wrote on :

    Fuck you firefox bastards, The worst browser in the planet……fuck you.again

    Reply

  61. Caro wrote on :

    Luckily this “improvement” is easily disabled or I’d be looking for a new browser. To “assist” developers you are now inconveniencing all the rest of us.

    Reply

  62. Woo wrote on :

    This may be a good idea for the “average” user, but it’s quite annoying for people who actually know what they’re doing. Thankfully, it’s easily disabled. There are so many fields that FF shows this warning even though they are not even login related (like every second configuration GUI for routers or Asterisk or tons of company internal tools..)

    Reply

  63. JGBJ wrote on :

    The login page is https but the warning still shows. I log in to multiple pages where this is the case.

    Reply

  64. Mr Stewart wrote on :

    Should my DSL modem/router be giving me The connection is not secure message? the 192.168.0.1 one?

    Reply

  65. Dan Tatar wrote on :

    this new feature is Stupid!!!!!
    i am logging on to my Bank, and it is telling me i can’t use my saved password – just stupid

    i am a general user – i don’t want firefox to stop me from using saved password to my fininical institutions.

    Stop trying to help when you create more problems to a general user.

    i can’t understand how to stop this function with the directions.

    Firefox is a really great framwork to use – i love it, but NOT in this case.

    you are hurting the General user who is not a computer geeek, no offence to computer geeeks, but the general user who just want a good serce engin does not need you FORCING me not to use saved password – on a banking web site.

    PLEASE STOP TRYING TO HELP ME – if i goof up — i goof up – you are forcing me to do thing your way and i don’t want that.

    STOP IT !!!!

    Reply

  66. Graham wrote on :

    This is the stupidest most nannyish idea ever!!!! Consider this scenario. I am a website developer. I log in to dozens of websites of my customers where I have no control over their hosting arrangements and whether or not they choose to secure their site with an SSL certificate. I use a different username / password combination for every site. With this childish, hand holding interference my job has become ten times harder. There isn’t even an option to say “thanks for the warning but I know what I’m doing so don’t bother to tell me again for this site”.

    I know you think you’re helping idiots who cannot be bothered to maintain good password discipline, but frankly that’s their own problem and if they get their passwords stolen, their bank accounts emptied or whatever THAT’S THEIR OWN FAULT! Don’t f**k up this browser for those of us who know what we are about.

    I have used Firefox for over a dozen years now. I love it. But unless you regress this change I will stop using it.

    Reply

    1. Musicalymia wrote on :

      Hear, Hear!

      Reply

  67. RP wrote on :

    Fuck this shit.

    Reply

    1. PETER wrote on :

      That`s exactly what I have been telling them for the last two weeks!!But they are not listening!!!

      Reply

      1. Musicalymia wrote on :

        Also, amen!

        Reply

  68. MIFFA wrote on :

    Ridiculous and an absolute pain in he backside when using FF in a business environment, accessing sites within a locked down business environment!!!

    Give us an option to opt out of this mess!

    Reply

  69. Kim wrote on :

    This is a seriously annoying glitch, to the point that I would like to revert to the prior version. I get this stupid notice on several sites that I use on an closed network that I have no control over. If I can’t stop this, I will have no choice but to switch to a different browser. Please don’t fall into the Yahoo trap of “ooh, isn’t this cool” without considering how it will affect the average user.

    Reply

  70. Radek wrote on :

    i have updated on Ubuntu Firefox yesterday and i have not suspect to can’t store login and password.
    I understand that thing sites must use https (SSL/TLS) on pages with forms and notifications are correct
    but i have not suspect i can’t store password. It do not protect users before theft logins, passwords.
    It is only blow in the users because i can log in but i can’t store. In the world are other webbrowsers i can use other, many peaople ask me why you use Firefox, Chrome is better and until now i haven’t reason to migrate to Chrome or any other wbbrowser. Password manager is important for me and i think for many other people and that will hiccup for Mozilla.
    Even on Firefox for DEV i can’t store passwords on none crypted sites.
    The solution is in config give possibility to set trusted IPs separated by ‘,’, or by ‘;’ for many IPs.
    I do not update Firefox on other PCs untill i have solution like above and if i will wait too long then i migrate and tell everybody else to change webbrowser.

    Reply

  71. Craig wrote on :

    While the technical and security reason for this change is noted, the impacts caused to commerce are already significant. For some they are trapped in an environment which is not easy to change over night, in some cases not possible at all, however take the example where an http site uses a one shot password, the information is of minimal value during that session, the payment gateway redirects to an https site where the visitors payment details are never seen by the http site. Also mechanisms built to track the users typical details such as IP address and Geo-location which alerts sys admin to unusual behaviour. Password rules that ensure that it is unlikely that the user reuses the same weak password on our sites because of strong password rules.

    These are all procedures that we have implemented since 2004 and can say that customers data has never been breached, we monitor hourly 24 x 7.

    Why have we done this, because we are trapped in an environment which is difficult to move from, and we understand that login details are insecure in http, but with that understanding and constraints we have been successful in preventing unauthorized access and data through our web security code has blocked any attempts.

    A majority of uses know what the padlock means, to impact the password field with your warning is over the top when we have addressed the issue with that understanding, and FireFox is now in a destructive way turning commerce away for a majority of sites.

    A heavy handed approach is not the solution.

    Reply

    1. Musicalymia wrote on :

      Amen!

      Reply

  72. Carl wrote on :

    This is stupid. Not FF place to determine what I use or were I go. Used to be a great thing now it’s just a nanny state. Time to listen to the folks who use our site and not what you think they want. If I go to a insecure site and have info stolen or computer corrupted are you going to pay for repair ? I DON’T THINK SO. So in that case stop the games. You are losing users and just plain making people unhappy.

    Reply

  73. joe wrote on :

    I get this message when going to my local blueiris server at 192.168.x.xx I don’t see why it should get that message. Wouldn’t you need to be on my network to steal/intercept the password.

    Reply

  74. ExGamec wrote on :

    This notice is suck. Manytimes I clicked on it and a popup windows was opened in stead of right username from saved form. This is real SUCK

    Reply

  75. sherry fundin wrote on :

    You took a good thing and made it SUCK!!!!!!!!

    Reply

  76. Michael wrote on :

    I know it’s going against the trend but I’m with Mozilla on this one. And yes, I do have a website which is now showing the message but because clients can login and spend money it will need to be corrected. As it stands our customers are not receiving the fully secure environment they are entitled to.

    Some of the comments above have spoken of moving to other browsers. That’s removed the warning message for them but the site they’re visiting still has the same security vunerabilities it’s just that they are no longer being made aware of them. So it becomes a question of choice: surf in ignorance of the vunerabilities or suft with the knowledge that if you proceed to login your details may be compromised.

    Personally, I think given the attention this issue has received it wouldn’t surprise me if the other major browsers start implementing this feature too after all they won’t want to be see as not caring about their users security.

    I have to agree with some of the comments above (not the vitriol) about the way this has been implemented. Personnally, I think a simple toggle button on the toolbar would have been sufficient to implement the two choices: surf in ignorance (toggle red) or surf securely (toggle green). The first would give the user the same experience they had prior to this, the second the new security alerts.

    From my own personal experience a lot of users don’t pay much attention to security becuase they expect it to be implemented as and where necessary to protect their details. Many websites that are showing these issues would have been built with the best understanding of security their creators had at the time. I my case the approach was the recommended technique at the time for implementing our login box Clearly, that was insufficient if the warning appears but it’s not Mozilla fault for pointing out the problem.

    Shoot the messager, I think not, we should be thanking them for bringing this issue to the attention of the web.

    Reply

    1. Musicalymia wrote on :

      It should be up to a website developer to properly secure their website. A developers lack of due diligence should not cause the rest, who have followed proper protocol to have to deal with the problems this new “feature” causes. That is silly. If you don’t have an SSL on a portal that collects sensitive information then SHAME ON YOU! But, don’t spite me in the process. That is a horrible way to go about it.

      Reply

  77. Opsimex wrote on :

    I’d like to add my 2 cents here. I’m a network admin. A site I manage has a couple of internal sites located within the same virtual host on the same virtual wire.

    One of the sites is for an internally hosted company email server and the other is the internally hosted helpdesk. The users accessing these internal sites are all on a virtual terminal server, all of which reside on the same virtual network segment.

    I have to say I was so proud of the users that reported this new Firefox “feature” – they wanted to know if it was ok to sign on to the same (internal IP address) email URL they’ve been using all these years. I told them no, it is NEVER safe to ignore security warnings.

    Another texted me saying hey, I was gonna do a ticket on the email error, but I got the same “error” on the help desk login. Is it safe?

    Again, I answered no, it is not safe to ignore security warnings.

    So, my quandary. The users responded to the new warnings generated by Firefox as they have been repeatedly trained to do – they stopped doing what they were doing and called IT. And I had to effectively shut down email/internal IM communication because security exceptions are a very very slippery slope with users. I refused to grant any exception.

    I have a quick work around – I changed the URL on the terminal server public desktop profile email shortcut to point to the external URL that only responds to HTTPS and has a public cert. That has issues of it’s own, but they are unrelated to HTTPS and this topic specifically. It will work for now.

    As to the helpdesk webpage – suffice it to say I am not buying a @#$@%#^%@ cert for it.

    On the long term I will likely change the respective shortcuts to force IE 11 for these internal sites. IE 11. Let that one sink in FF crew.

    Unintended consequences are a bitch. Provide a way to white list URLs.

    Do not tell IT to go buy something – IT dollars are more precious than “precious” in the real world.

    Reply

  78. Frank wrote on :

    All your angst about re-use of passwords is just plain foolish.

    I have been telling people for years that they need only two passwords – one to be used on all sites that do not have sensitive information (forums, news sites, etc) and the second for use ONLY for sites with sensitive information (banks, credit card companies, etc). The second must be very difficult to guess, created with all the safeguards possible (alpha and numeric, upper and lower case, punctuation, etc).

    It is then not at all important if the first password is stolen/cracked; but the second must be kept secret and changed fairly regularly. As the second is only used on a few sites, change is easy.

    To suggest that passwords should not be re-used is pretty stupid – if every site needs a different username/password pair then inevitably the details will be written down somewhere. And for most people the biggest threat is the old problem of theft, particularly of laptops. So your house is burgled and the thief walks off with your laptop and the post-it stuck to the lid with your usernames and passwords!

    And don’t suggest some password repository/software. With all the hype over hijacked information from “secure” sites, many people will simply not trust any third party storage of sensitive information.

    Reply

  79. Musicalymia wrote on :

    Trash Trash Trash. You are only thinking of yourselves and covering your butts. You need to start thinking from the Users perspective. You can’t expect web devs to walk every user through turning off this STUPID notification. They don’t understand it. I get calls daily now about it from our web development customers. They just see a warning. It is alarming to them. They have no idea what it is about or what it does. SHAME ON YOU FIREFOX. You are screwing developers. It should be up to the website developers to properly secure their websites. It is not your job to be internet police. You are supposed to make a user friendly internet browser. Not a warning system for every tiny thing on the internet.

    I urge you to reconsider this horrible eye sore of a notification. I could handle the address bar icon. But this is too far. It looks more like you are trying to control the internet this way. Chrome is looking awfully good these days…

    Reply

Post Your Comment