No More Passwords over HTTP, Please!

218

Update: This feature is now also enabled in Firefox Release, starting with Firefox 51.  See this post for more details.

Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP.

Username and password pairs control access to users’ personal data. Websites should handle this information with care and only request passwords over secure (authenticated and encrypted) connections, like HTTPS. Unfortunately, we too frequently see non-secure connections, like HTTP, used to handle user passwords. To inform developers about this privacy and security vulnerability, Firefox Developer Edition warns developers of the issue by changing the security iconography of non-secure pages to a lock with a red strikethrough.

Firefox Developer Edition 46+ shows a lock with a red strikethrough on non-secure pages that have a password field, while Firefox Release does include that additional iconography

How does Firefox determine if a password field is secure or not?

Firefox determines if a password field is secure by examining the page it is embedded in. The embedding page is checked against the algorithm in the W3C’s Secure Contexts Specification to see if it is secure or non-secure. Anything on a non-secure page can be manipulated by a Man-In-The-Middle (MITM) attacker. The MITM can use a number of mechanisms to extract the password entered onto the non-secure page. Here are some examples:

      • Change the form action so the password submits to an attacker controlled server instead of the intended destination. Then seamlessly redirect to the intended destination, while sending along the stolen password.
      • Use javascript to grab the contents of the password field before submission and send it to the attacker’s server.
      • Use javascript to log the user’s keystrokes and send them to the attacker’s server.

Note that all of the attacks mentioned above can occur without the user realizing that their account has been compromised.

Firefox has been alerting developers of this issue via the Developer Tools Web Console since Firefox 26.

Why isn’t submitting over HTTPS enough? Why does the page have to be HTTPS?

We get this question a lot, so I thought I would call it out specifically. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. As described above, active attackers can MITM an HTTP connection between the server and the user’s computer to change the contents of the webpage. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user’s username and password. The attacker then sends the updated HTML to the user. When the user enters their username and password, it will get sent to both the attacker and the site.

What if the credentials for my site really aren’t that sensitive?

Sometimes sites require username and passwords, but don’t actually store data that is very sensitive. For example, a news site may save which news articles a user wants to go back and read, but not save any other data about a user. Most users don’t consider this highly sensitive information. Web developers of the news site may be less motivated to secure their site and their user credentials. Unfortunately, password reuse is a big problem. Users use the same password across multiple sites (news sites, social networks, email providers, banks). Hence, even if access to the username and password to your site doesn’t seem like a huge risk to you, it is a great risk to users who have used the same username and password to login to their bank accounts. Attackers are getting smarter; they steal username/password pairs from one site, and then try reusing them on more lucrative sites.

How can I remove this warning from my site?

Put your login forms on HTTPS pages.

Of course, the most straightforward way to do this is to move your whole website to HTTPS. If you aren’t able to do this today, create a separate HTTPS page that is just used for logins. Whenever a user wants to login to your site, they will visit the HTTPS login page. If your login form submits to an HTTPS endpoint, parts of your domain may already be set up to use HTTPS.

In order to host content over HTTPS, you need a TLS Certificate from a Certificate Authority. Let’s Encrypt is a Certificate Authority that can issue you free certificates. You can reference these pages for some guidance on configuring your servers.

What can I do if I don’t control the webpage?

We know that users of Firefox Developer Edition don’t only use Developer Edition to work on their own websites. They also use it to browse the net. Developers who see this warning on a page they don’t control can still take a couple of actions. You can try to add “https://” to the beginning of the url in the address bar and see if you are able to login over a secure connection to help protect your data. You can also try and reach out to the website administrator and alert them of the privacy and security vulnerability on their site.

Do you have examples of real life attacks that occurred because of stolen passwords?

There are ample examples of password reuse leading to large scale compromise. There are fewer well-known examples of passwords being stolen by performing MITM attacks on login forms, but the basic techniques of javascript injection have been used at scale by Internet Service Providers and governments.

Why does my browser sometimes show this warning when I don’t see a password field on the page?

Sometimes password fields are in a hidden <div> on a page, that does not show up without user interaction. We have a bug open to detect when a password field is visible on the page.

Will this feature become available to Firefox Beta and Release Users?

Right now, the focus for this feature is on developers, since they’re the ones that ultimately need to fix the sites that are exposing users’ passwords. In general, though, since we are working on deprecating non-secure HTTP in the long run, you should expect to see more and more explicit indications of when things are not secure. For example, in all current versions of Firefox, the Developer Tools Network Monitor shows the lock with a red strikethrough for all non-secure HTTP connections.

How do I enable this warning in other versions of Firefox?

Users of Firefox version 44+ (on any branch) can enable or disable this feature by following these steps:

      1. Open a new window or tab in Firefox.
      2. Type about:config and press enter.
      3. You will get to a page that asks you to promise to be careful. Promise you will be.
      4. The value of the security.insecure_password.ui.enabled preference determines whether or not Firefox warns you about non-secure login pages. You can enable the feature and be warned about non-secure login pages by setting this value to true. You can disable the feature by setting the value to false.

Thank you!

A special thanks to Paolo Amadini and Aislinn Grigas for their implementation and user experience work on this feature!

Categories: Browser Security

218 responses

  1. Simon wrote on :

    The one problem I have with HTTPS-everywhere is that it’s a pain in the neck to set up for internal systems like development environments. Servers certainly use SSL in production, but it’s too much hassle to ensure that it’s used for every short-lived system that I work on – servers that may only exist for hours…

    1. Tim Bray wrote on :

      We used to think that.

      No we use letsencrypt certificates on all our demo and development systems.

      1. Thomas Grainger wrote on :

        If you automate it once, it won’t be a pain

      2. Pino wrote on :

        A Let’s Encrypt certificate requires a fully qualified domain name, and a lot of internal systems lack that. Instead, servers are accessed through a nonroutable IP address (such as one within 192.168/16) or an address in a made-up TLD (such as .local). Or do you expect each home ISP subscriber to buy a domain for his or her home network and keep it renewed?

      3. hmmmm wrote on :

        nonsense, for a tiny 5 men office this may be good.
        but not for your network infrastructure with hundreds of different interfaces, from switches, firewalls, analyzers, honey pots,.. you name it.

        it simply makes not much sense to encrypt everything inside a secure location,
        let alone that you even could. most switches, if they can use https, certainly cannot use letsencrypt.

        as an admin youre aware anyway what traffic is not encrypted and secure your networkpaths if nessesary but not every single host that will never be exposed to the outside world.

        theres even a big downside to that exncryption everything. you have a very hard time to use automated level 7 filtering and IDS. all you see now is ports and traffic.

      4. William wrote on :

        Isn’t there the risk (assuming you have a FQDN) that you may run into rate limits if you are constantly signing development servers?
        As for the issue of servers behind a router, consider using a private root certificate and install it on your LAN clients. That is what I personally do to put HTTPS on my Raspberry Pi home mini-server.

  2. Bjarni R. Einarsson wrote on :

    Hello! This is a fantastic step forward.

    However, can we have an exception for localhost? Using the browser as a front-end for a local web server is an interesting way to develop very compelling apps (disclosure: I work on Mailpile, which is such an app), and it’s not a scenario where HTTPS makes sense (or is even available – you can’t get a cert for localhost).

    Sorry if this appears both here and on hacks, I posted the comment there but it disappeared without any feedback from the site to indicate it was accepted or queued for moderation, or what.

    Please also excuse me if localhost is already exempt – I am assuming it is not because the console does print warnings and the post implies the code path is shared/related.

    Thanks!

    1. Tanvi Vyas wrote on :

      You shouldn’t see this warning for localhost. The code specifically checks for localhost and doesn’t warn in that case.

      1. Duane wrote on :

        I appreciate the need for security and these warnings, but as is the case of the localhost domain name should the warning also not be disabled for local non routable test IP ranges. At least it would be nice to have the option to disable the warning on local subnets.

        1. Pino wrote on :

          Local subnets such as the coffee shop Wi-Fi that’s intercepting your traffic?

      2. Gustaf Mossakowski wrote on :

        I am using the same development setup as Bjarni and I clearly can see this warning when accessing my computer via 127.0.0.1 or ::1. Might not be the case via http://localhost, but of course I do not want to work on only one website but several sites in parallel. So I set up e. g. example.com.local to point to localhost. Firefox is presenting me with the warning that the connection is insecure. Annoying.

      3. Cliff wrote on :

        So why does http://dlinkrouter.local/login_pic.asp come up as insecure on Firefox 52.0.1?

    2. Sandra Villarreal wrote on :

      I see Internet censorship is out of control. I’m not a cry baby, whining Democrat liberal that needs someone to tell me which information I may or may not want access to. So sick of this I’m cancelling internet service all together. It’s not worth the headache that you and the CIA run GOOGLE have created. Forget it. I’m all done.

      Sincerely,

  3. Bart wrote on :

    This is really nice for us developers.

    I can’t wait until this feature is also enabled by default in the normal release. This makes it much easier to explain the necessity of SSL ot other non technical persons.

    1. Thomas Grainger wrote on :

      TLS

  4. Jim wrote on :

    Did Mozilla remove or rename this feature? I just re-imaged my computer and installed Firefox and I do not see security.insecure_password.ui.

    1. Tanvi Vyas wrote on :

      security.insecure_password.ui.enabled still appears for me in about:config. What version of Firefox are you using?

  5. Dee wrote on :

    How this hell could be switched off for certain pages? I have to use http://username:password@page for intranet pages and I want to decide by myself, what is secure, not to be forced by communists by stupid restrictions.

    1. bugzilla wrote on :

      Exactly! Stupid group think.

      You should concentrate on providing a cleaner, better and faster product instead of cluttering the screen with this nonsense. What you guys have to realise is not everybody needs or wants to work in your narrow world view.

      1. Musicalymia wrote on :

        I’m with you. This is trash. How about terrible web developers learn their craft better and adjust to their sensitive content as needed. This hand holding crap is ridiculous. Basically, because idiot developers can’t and won’t adhere to modern standards and give a dang about their customers products, now we get to have a big ole warning to scare off customers. Sweet. Thanks firefox.

        1. Robert wrote on :

          Your arrogance is showing.

    2. bugzilla wrote on :

      It gets worse! Now Firefox 52.0a2 (2017-01-13) is saying (some) https servers are not secure – but only sometimes! – You couldn’t make this stuff up.

      1. Pino wrote on :

        A document delivered through HTTPS is insecure if it transcludes “mixed content”, that is, script, style, fonts, images, or iframed documents from a URL with an insecure scheme. A form delivered through HTTPS is insecure if the form has an “action” URL with an insecure scheme.

        1. Robert wrote on :

          Screw all this bullshit. My cookies won’t set now so folks can’t stay logged in.

          Like I said, screw this bullshit.

    3. Pino wrote on :

      1. Ensure that page is a fully qualified domain name, not an IP address, a bare hostname, or a hostname in a made-up TLD. If not, buy a domain and make it so.
      2. Obtain a certificate for this hostname from Let’s Encrypt using the Dehydrated client.
      3. Set up HTTPS on page.

      1. Robert wrote on :

        And change all your links and resources.
        Why don’t you fools work on reducing the footprint of the respiurce hog firefox has become. Get your priorities correct.
        Ble Moon half the resources.

        1. Derek W wrote on :

          I’m not a security expert. I use the thing for hobbies (family research) and contact etc. I am interested in security because I often need to buy things using the net. Because old age and memory make absorbing new stuff no longer easy, I am happy, if sometime a little puzzled, to read the thought & outputs of those who try to help me. If I really need to question their methods, advice and motives, then I will not hesitate so to do. I would however never consciously do so in a derogatory or abusive manner.
          Please folks-a little respect for each other.

    4. James wrote on :

      “Forced by communists”! Ha ha ha. You nutter.

  6. 2fe2fff wrote on :

    Just fixed using this font password https://github.com/Mottie/input-password-bullet

    I will be not buy extra server to Mozilla felt better, ssl are only used on my vebiste when login oraz register send by ajax.

    ps web developer tools is not a firebuq is not even chrome dev tools where is switched

    1. Pino wrote on :

      How can you be sure that third parties aren’t intercepting “login oraz register send by ajax” requests?

  7. peterpux wrote on :

    Warning now shows up every time I try to connect to my router, my repeater, my home management system, etc. though I am not going via the internet. Anything I can do to avoid that???

    1. Pino wrote on :

      The web browser can’t tell the difference between your LAN and a malicious hotspot in a coffee shop.

      Buy a domain for your LAN, obtain certificates for each device on your LAN from Let’s Encrypt through the Dehydrated client,* install these certificates onto each device on your LAN, and configure each device on your LAN to accept HTTPS connections.

      * You have to use Dehydrated instead of Certbot because Certbot supports only the HTTP challenge, which in turn supports only publicly visible servers. Dehydrated also supports the DNS challenge, which works with hostnames in the public DNS tree even if the hostnames refer to servers on a private network.

      1. No wrote on :

        Do you really think that doing this:

        “Buy a domain for your LAN, obtain certificates for each device on your LAN from Let’s Encrypt through the Dehydrated client,* install these certificates onto each device on your LAN, and configure each device on your LAN to accept HTTPS connections.”

        is the best solution to avoid a warning message for the login page of the router’s firmware?

        It’s a ridiculous recommendation to relay on a third party service and “open” your LAN just to have https between your browser and your router…

      2. Sap wrote on :

        LOL!!!! BUY A DOMAIN FOR YOUR LAN AND OBTAIN A CERTIFICATE FOR EACH DEVICE IN YOUR LAN HAHAHAHA One of the most retarded workaround I’ve seen in my life….. Pino ma fammi il piacere!

      3. Mike C wrote on :

        That answer doesn’t cut it. How can I install certificates on hardware? And trust me, my desktop isn’t going to a coffee shop anytime soon. Yes, I understand that the software can’t distinguish that, but individual users sure can.
        The correct answer would be an option to exempt internal IPs on an individual basis.
        It is very annoying to have this popping up when i can be accessing network hardware many times on some days.

    2. Ali wrote on :

      I’m pretty sure it can. Is the address it is connection to a RFC1918 address? Is it on the local network? Don’t display the box.

  8. manuel wrote on :

    en español por favor……y varios idiomas

  9. Molemo Molai wrote on :

    I cannot connect to this site even though it is https. I’m launching it from http://standardbank.co.za and I get this error message “Secure connection failed”. I do not even have the “Advanced” button to bypass the error message.

    1. Liam wrote on :

      “Advanced” is used to override a warning, not push through on something that has failed. It can’t the connection is simply failed. Sounds like your network connection isn’t allowing TCP/443, SB is not responding to TCP/443, or is experiencing a protocol error.

  10. Neal T wrote on :

    Great, when I do the crossword it thinks I am filing in a password and keeps giving me a warning

    http://www.universaluclick.com/puzzles/crosswords

  11. Maave wrote on :

    Thanks for leaving the about:config pref. I have to deal with HTTP and self-signed certs daily so it’s convenient to disable that on my work profile.

  12. bluebolt wrote on :

    Is there a way to disable this warning in Firefox 52.0 ESR?

  13. Miki wrote on :

    I would like remove the SHITTY remainder that my connection is insecure.

    1. MattN wrote on :

      Go to about:config and set `security.insecure_password.ui.enabled` to false.

      1. Tony wrote on :

        I’ve set security.insecure_password.ui.enabled false but I still get the nags.
        In addition to localhost, I’d like IP numbers that resolve to the same computer also to suppress the nag.

      2. Ali wrote on :

        This only toggles the address bar, not inline floaters.

        1. Manuel wrote on :

          security.insecure_field_warning.contextual.enabled is for the inline floaters

  14. Andrew Joseph wrote on :

    Is there a way to remove this for HTTP intranet sites?

    1. MattN wrote on :

      No, because it’s still insecure. Anyone on the network could get your submitted login info or man-in-the-middle you. Intranet sites using fully-qualified domain names can get free certificates from Let’s Encrypt.

      1. Robert wrote on :

        I already have cert and PA Y for it. I wil n ot change my logon process because some petty tyrant tells me too.

        Your logon nag is offensive, turn off legitimate visitors and is a product of YOU arrogance. “We will discourage your visitors unleas you kiss the ring, crawl on you knees and comply.
        F you asshole.

      2. Ali wrote on :

        You’re assuming a lot about my private network.

  15. Lee Thompson wrote on :

    Overall this is a good idea, however, for developers, testing and intranet use it’s annoying.

    However, a suggestion (and these can go into the about:config options, don’t need to be in the main UI) that could be a good solution without undermining the effort.

    security.insecure_password.exception_ranges = (IP address or range notation)

    Examples:

    security.insecure_password.exception_ranges=192.168.0.0/24
    security.insecure_password.exception_ranges=192.168.0.0/24,192.168.5.1-192.168.0.5.3
    security.insecure_password.exception_ranges=127.0.0.1

    1. MattN wrote on :

      Hi Lee,

      In case you didn’t notice you can disable the warning altogether with `security.insecure_password.ui.enabled`. If developers want it on for non-development work I would recommend a separate Firefox profile for the development work which has the preference off.

      1. Ali wrote on :

        This only toggles the URL flag, not the box that floats on top of all other UI elements in the form, such as validation warnings.

  16. Michael wrote on :

    On a daily bases I login to about 30-35 websites…..without any problem, since the passwords have been saved by FF. But the fun is over, it seems!

    Now I find this annoying and insulting message telling me the connection is not safe (come on peeps, I finished 3rd grade long time ago)

    Why is it so hard for developers to understand that most people don’t give a blast about insecure connections. Please FF, stay cool, stay clean…don’t do what all the nurds do: just work FOR me, not AGAINSTme!

    Ow and while you are working hard on removing this annoying feature during the next update, kindly also cancel that bar where that keeps on asking me if i want to SYNC with my smartphone…… talking about security 🙂

    1. Johann wrote on :

      You can remove it yourself by setting this pref to false: security.insecure_password.ui.enabled

      Setting signon.autofillForms.http to true will get you autofill on insecure websites back.

      This is not recommended. At the risk of sounding insulting again, you underestimate the threat here and might want to read up on password sniffing. Please make sure that you do not re-use passwords when ignoring this warning.

  17. Bob wrote on :

    Need to be able to have a list of sites where this is turned off, similar to the pop-up blocker exception list. I have sites behind our company firewall, accessible only by users who are logged in to the internal network. To then be blocked, or to have to provide certificates for every internal, non-public facing server is ridiculous at best.

    1. MattN wrote on :

      Hi Bob,

      This feature doesn’t block any access to the site, it’s only providing a warning. You’re assuming nothing/nobody on the internal network is malicious which is a bold assumption to make. Perhaps a wild-card certificate would make it easier for you to deploy HTTPS within your intranet if you have many subdomains.

    2. es1999 wrote on :

      I agree there should be exception option to this warning. I log into intranet sites continually. The warning box blocks the buttons below it so I have a couple more key entries. Adds a couple seconds to log in which adds a lot of time when you log in all day.

  18. JackAttack wrote on :

    How can I remove this warning from my site?

    Put your login forms on HTTPS pages.

    Really ?!?!?! We need tutorial !!! !!! !!!

    Tutorial search : zero result :
    https://openclassrooms.com/courses?q=tsl

    So my website will be unsecure forever ??? unless I pay $$$ for a specialist ? Bravo Open Source…

    ^^angry

    1. MattN wrote on :

      Hello JackAttack,

      Certificates are free from Let’s Encrypt (co-founded by Mozilla and EFF). There are good instructions at https://certbot.eff.org/

  19. Brett wrote on :

    Submitting passwords over a non encrypted connection is a minor security issue, kind of like entering your PIN at a ATM without covering the keypad, so I guess this is an ‘ok’ update (though there are many more important things that could be focused on) .. however I dont see any option to turn off the in window pop ups. These are very lame and lead to an extremely poor user experience. They should show once per domain, with an option to not show again.

    Just a thought here, but if you spend more time making a good browser and less trying to be everyone’s babysitter (or even worse their ‘big daddy’) you might get the kind of market share you once enjoyed back.

    1. Johann wrote on :

      You’re severely underestimating the threat of compromised credentials to the average user. Without HTTPS it is very easy for anyone who can read online tutorials to steal your login data, but rather hard for any kind of user to verify that there is no man-in-the-middle on a network.

      Contact the website owner to upgrade to HTTPS. They can easily use Let’s Encrypt for free.

      You can also globally turn off the warning by setting this pref to false: security.insecure_password.ui.enabled

      Or just ignore it, you know.

      1. Brett wrote on :

        Every time you hand your credit card to a waitress you risk the waitress writing down your card info and buying things online with it. But someone does not pop out of thin air each time and issue me a warning. Even if it was possible it would be idiotic and annoying. Tell people something once and let them chose the level of risk they are comfortable with. Dont be a jerk about it.

        1. MattN wrote on :

          Most countries that use credit cards got rid of giving credit cards to random employees years ago due to all the fraud. The consumer inserts their own card into the CHIP terminal and in most countries enters a PIN to prove that the cardholder approves. Sometimes technologies/workflows change to improve security… in the case of this warning it’s getting HTTPS setup on servers which is now free and easy.

          1. Brett wrote on :

            Most product creators respect their users enough to allow them to disable ‘features’ that they dont want. Guess what happens to those that do not? Ill tell you, but you should know it very well (because its been happening to FireFox) for years… people stop using their product.

            After reading your responses to people I can see one major theme here, your so obtuse and hubris that you seem to think users should adjust to your opinion instead of having the freedom to have their own so there is no point in arguing with someone who lacks the capacity to accept that they might have made an error.

            Fortunately I can take solace in knowing that your every decreasing user base is making FireFox less and less relevant every day.

    2. Robert wrote on :

      “Just a thought here, but if you spend more time making a good browser and less trying to be everyone’s babysitter”

      This is the west coast liberal fascist approach. “We know what is best for YOU and you better do it now.”

  20. Fiona Jenkins wrote on :

    This is awful–I get a warning when I try to log in to my foreign e-mail account. Why in heaven’s name can’t I disable this feature. If I can’t, I’ll never use Firefox again!

    1. MattN wrote on :

      Have you tried contacting the email provider to switch to a secure connection? It’s free and not very complicated nowadays.

      1. Robert Tulloch wrote on :

        Won’t back down will you

  21. Robert Tulloch wrote on :

    Hi:

    My login process uses a normal http response containing an iframe
    which calls the login form from an https cgi script.

    Log in form dynamically created by the CGI script.

    Why is this process popping up the insecure warning?

    If you look at the source in the iframe you will see the mechanism to encript
    the username password in addition to the https connection.

    Would like some feedback ASAP. Working on site currently when the insecure warning popped up

    1. MattN wrote on :

      If I understand correctly, you’re talking about an HTTPS iframe embedded in an HTTP page? That’s still insecure as an attacker can just replace the top-level page. Make sure the login form document, all ancestor frames and the form action are all using HTTPS.

      1. Robert Tulloch wrote on :

        I think it is secure. Except of course with keystroke capture. Nothing is secure with that.

        I send the loging form (iframe form) with encryption information that is used to create and encrypted logon string. The server which sent the encryption information to the client uses the same information to produce an encrypted string based on a users known username/password then compares that to what what received from the client. If equal, the client is logged on. Where is this insecure?

      2. Robert Tulloch wrote on :

        I am so sick of that stupid little security message popping up over my login stuff. This is a hideous BS change.

        What problem are you solving and what is the real historical basis (stats) for this inconvenience? It is a rea; turn off.

      3. Ben wrote on :

        Hi, we’re facing the same issue, our main website is delivered via http, the login form is inside an iframe (that means, the form html elements and the action), which is fully https enabled. Unfortunately firefox marks our login field now with this unsecure warning.
        Matt, you wrote: “That’s still insecure as an attacker can just replace the top-level page”
        Of course, but how can that new top level page get the information from the secured iframe (from a different domain)? Remember, even the form elements are inside the secure iframe.

        Please Mozilla, think about it.
        Ben

        1. Robert wrote on :

          They are not interested. They get an idea and it matters not what anyone else thinks.

      4. Robert wrote on :

        How wonderful. Now since I can’t set a cookie and access secure pages on my site, I have to switch to Pale Moon which works just fine. And, recommend that all users dump Firefox.
        Firefox has also become a n example of “bloatware” in the
        true spirit of M$.

        You people are idiots.

  22. Adam wrote on :

    Password reuse is a user problem, not a developer one. Mozilla is basically forcing every non-SSL site with a form input to use their certificate authority so that their browser doesn’t act like a dufus to the general public.

    Why not go all out and issue warnings like:

    “The entered password is vulnerable to brute force attacks, and does not meet Mozilla strength requirements. Tell the website owner to switch to using 16-character passwords.”

    “For security, Firefox has logged you out of all websites due to being idle for 5 minutes. Tell the website owner to use idle checks to keep you logged in.”

    “This site contains JavaScript which can be abused to do malicious things. Tell the website owner to submit their script files through Mozilla for review and an approved signature.”

    “This site is insecure: it’s an online store, and the seller may take your money without sending you a product. Tell the website owner to register with a Mozilla-approved Business Bureau.”

    “This site is insecure: someone may look over your shoulder while you type your password and display sensitive information. Install a Mozilla-approved blank-key keyboard and privacy screen.”

    “This site is insecure: it allows you to post content, which may be monitored by your ISP, and may be stored on a server to be used in malicous ways by the site owner. Tell the owner to remove all form inputs.”

    “This site may contain false information. Tell the website owner to link to appropriate peer-reviewed data.”

    “Firefox has detected AdBlock, which has been disabled to promote ad-supported websites.”

    “Firefox has limited the media audio volume to 50% and playback time to 5 minutes, to help prevent long-term hearing damage.”

    “Warning: Firefox could not verify that you are not using this website while driving.”

    Clearly Mozilla is gravely underestimating the severity and widespread nature of the above issues. Firefox needs several more scary warnings and “Get me out of here!” buttons.

    1. Gary Herbstman wrote on :

      LOL!

    2. Pino wrote on :

      Of these suggestions, I can see Mozilla implementing only one: “Tell the website owner to switch to using 16-character passwords.” Redbox’s password form specifies maxlength=12, which is way too short for a “correct horse battery staple”-style Diceware password.

      “This site contains JavaScript which can be abused to do malicious things. Tell the website owner to submit their script files through Mozilla for review and an approved signature.”

      Are you referring to extension signing? Chrome Web Store is even more restrictive than AMO’s automated signing in this respect, imposing censorship of certain functionality even if an extension is unlisted. Or are you referring to something like LibreJS, which blocks execution of scripts that do not declare a machine-readable free software license?

      “This site is insecure: it’s an online store, and the seller may take your money without sending you a product. Tell the website owner to register with a Mozilla-approved Business Bureau.”

      Comodo has done exactly that. Its IceDragon browser, based on Firefox, warns the user when a site uses a domain-validated certificate instead of an organization-validated one.

      “Firefox has detected AdBlock, which has been disabled to promote ad-supported websites.”

      Won’t happen any time soon. In my experience, Firefox Tracking Protection blocks most ad networks because they track users from one site to another, and ad networks are too lazy to replace ads blocked by Tracking Protection with alternate ads that do not track the user.

    3. Grant wrote on :

      Absolutely correct… Also, have you noticed that Mozilla itself uses third party javascript that they blindly foist on us (from lithium.com, google-analytics.com and netdna-ssl.com). If you weren’t running an addon like noscript it would just automatically execute without your knowledge or active consent. Why don’t they fix something like that rather than cause us all grief over an issue that should be left to us (developers)? If my sites needed to be that secure I would already have done so. Now my clients get the notice that their website is not secure and they don’t really understand the issue. It just scares them for no reason.

  23. Andreas Hofer wrote on :

    Sometimes I feel the people driving the technology are lacking imaginativity for other scenarios. They only see big webservers running shopping carts and the like. But the technology opens many more exciting possibilities.

    We are building small embedded industrial devices with a tiny embedded web server for the user interface. These devices will always only be used in an intranet. We need some limited capability to restrict access to the settings, but a simple username/password is absolutely sufficient. No fear of a man in the middle. Just prevent the simplest users in their daily work from accidentally changing problematic parameters. Adding SSL and handling certificates would be a burden for this device. Being able to offload the user interface to a tablet, mobile or a notebook running JavaScript is a great way to get a good user experience. In our use case, it is annoying to see a security warning.

  24. Jorge Banha wrote on :

    I used Firefox for internal entreprise web aplications. Now all of them are insecure (???) and that stupid warning is always there. Its Annoying

    More, because ending with java suport, everything i do in my job have to be done using IE… It’s a pity. I loved Firefox and hate IE, but i have to return to IE…..

  25. bluebolt wrote on :

    To rid yourself of the warning nag, use about:config to set this line to “false”:

    security.insecure_field_warning.contextual.enabled

  26. DavidGB wrote on :

    This is infuriating. A site I use, visiting several times daily, with an HTTP login page. Before: bookmarked login page opens with (saved) username and password fields populated, I just click once on the OK button. Now: login page opens with unpopulated username and password fields, I have to click once in either password or username filed to get the insecre lgin warning, click again where my username is listed at the bottom of the warning to populate the username and login fields, then click a third time on the OK button, EVERY TIME.

    I get it. It’s an insecure login. I know that. I knew that. I don’t use that password for anything else, and this is not a logon where someone stealing it could defraud me money or anything. i GET IT. But there’s nothing i can do about it. This would be irritating enough to get this every time anyway, but I’m also disabled, every movement hurts, concentrating hurts, and HAVING TO CLICK PRECISELY IN THREE DIFFERENT PLACES INSTEAD OF ONE IS EXTRA PAIN – EVERY TIME.

    Where is the button on the warning to ‘Don’t show this warning again on this site’? How the hell was this planned and released without n option to turn it off, per site, after first showing of the warning on a site?

    This is not at all trivial for me. And even turning it off globally in about:config setting security.insecure_password.ui.enabled to false (and the security.insecure_field_warning.contextual.enabled to false as I presume that’s why I kept getting the warning popping up every field, getting in the way, intercepting clicks not meant for it and opening explanatory pages multiple times while i was trying to register for a web forum,) it STILL changes things to three clicks in different places rather than the old one, because the page still loads with the username and password fields unpopulated, so it’s still click in username field to get a list to pop open with the username in it, move pointer and click on the username in the list to populate the fields, then move pointer again and click on the OK.

    So ‘disabling it’ does NOT restore the previous behaviour of the page opening with the fields populated, and STILL requires three precise moves, three clicks instead of one WHICH COSTS ME PAIN.

    Thank you so, so much for actually considering nobody else’s use of the internet but yours.

    Given that I originally moved to Firefox from Chrome when Chrome dropped NPAPI, because most of my favourite US TV shows were only available to me via one UK provider that required Silverlight to stream on demand programmes … and it STILL requires Silverlight to stream those shows, Firefox 52 has turned Firefox from the best browser to complete junk for me, unable to perform my single most important use because no Silverlight, and causing me extra time, clicks and pain on other sites that are important to me because of this changed It’s-not-HTTPS behaviour. Time to find another browser … which will mean lots of clicking to research, install, configure and equip, and therefore a lot more pain. Thanks a bunch for ruining this software for fancy theoretical reasons for the internet you’d like that ignore how the internet actually IS and the use people need to make of it.

    1. Qui Gonn Jimm wrote on :

      THANK YOU! I couldn’t have said it better.

      “So ‘disabling it’ does NOT restore the previous behaviour of the page opening with the fields populated, and STILL requires three precise moves, three clicks instead of one WHICH COSTS ME PAIN.” —- PAIN IN THE ARSE!

      1. MattN wrote on :

        You need to also set signon.autofillForms.http to true if you want to autofill the login on insecure forms. I wouldn’t recommend this though.

        1. MattNDick wrote on :

          Screw you bro, soon when people starts looking for alternative browsers that are less annoying you will learn how not to force things on people. Firefox is loosing market share and you guys just made it worse and sending people back to chrome.

  27. angrygod50 wrote on :

    This feature is stupid and annoying. Why do you feel the need to clutter up a nice browser with more and more features that piss off users and slow things down. At least give us the option to turn this POS off in the options menu. I’ve supported Mozilla for decades but I’m ready to switch to something else.

  28. venier wrote on :

    Sorry, I’m stupid, I want to be stupid, let me be stupid.
    Do not try to take me by the hand like a baby.
    I’m stupid, not a baby.
    Leave a stupid way to disable this option.
    Thanks for listening (or not)
    🙂

  29. peter wrote on :

    I AM 74 YEARS OLD AND NOT COMPUTER LITERATE, NOW CAN NOT USE MY HOT MAIL, WHICH I HAVE USED FOR TEN YEARS !!!WHAT DO I DO NOW????

    1. MattN wrote on :

      Hi Peter, this change shouldn’t have stopped you from using Hotmail, it only added a warning and if you had a saved password it should still be accessible in the autocomplete dropdown but not auto-filled. I also don’t believe Hotmail uses an insecure form so I think you’re seeing a separate issue.

      1. Thomas wrote on :

        Whether you seeing a separate issue or not, it is an issue created by these kind of ‘security’ updates. The point is these create a lot more issues for people than they solve.

  30. peter wrote on :

    Got my HOTMAIL back but was forced to use another browser .Sad I have been very happy with FIREFOX for the last eight years, forced to move???

  31. Jardin wrote on :

    It might have seemed like a good idea, but you need to be able to turn it off for selected sites or domains.

    Many of our internal sites require a password – not for security, but because the designer (not us) thought someone might want it secured. We don’t need it secure – it’s read access only and the password is QWERTY. No one needs to phish for this password. If you’re on our network, you have (read) access. Config is done via ssh and other secure tools, not by http/https. And no one sensible is going to ‘re-use’ this password, except where we re-use it for exactly the same reason – we don’t need that level of security.

    Our file system contains tons of documents that all have read access without encryption. We don’t tell the user that our network isn’t encrypted every time they access a folder – why should we have to badger them every time they access an internal web-site over the same network?

    We really don’t need the mozilla foundation telling us how to run a business, or increasing the cost of our data by requiring https for artificial reasons. It would be somewhat better if Let’s Encrypt wasn’t so babyish about certificates that only last 90 days. This is not a zero cost improvement, and it isn’t always going to improve security.

    An example of how this can compromise security: If all browsers suddenly required https like mozilla, we would simply provide users with an home-made app to read the internal pages they want. Then, no doubt, some idiot user will use our ‘cut down’ browser to access an external site of an unsavory nature, and bang, we’ll have a virus.

    We like the security a modern browser brings to our network, but it has to be under our control. Part of network neutraility is not letting the facists tell us how to run the network.

    Mozilla – you are better than this.

    1. Pino wrote on :

      Why can’t you set up a cron job to run Dehydrated every 2 months and renew the certificates?

      1. Paolo wrote on :

        I am a web developer from before your birth, probably.
        Lately I have switched to common CMS like WP, Magento and the like.
        My clients have their domains in dozens of different ISP, many of which don’t permit cron jobs.
        When they login to their admin zone, my clients are been told their site is insecure.
        Thanks a lot for this great addiction to my once preferred browser…

  32. Alex Haan wrote on :

    Oh, also an issue (don’t have access to my bugzilla account here): If the password-form fields are small, you don’t see the complete message. As the notification ‘popup’ seems to have the size of the input you focus.

    1. Pino wrote on :

      If the password form fields are small, the site operator probably doesn’t expect the user to use a password that’s long enough to be secure. So if you do file a bug once you get back to the machine with your Bugzilla or GitHub credentials saved, I can easily seeing that bug being RESOLVED WONTFIX.

    2. MattN wrote on :

      Hi Alex, we are tracking this issue in https://bugzilla.mozilla.org/show_bug.cgi?id=1330731

  33. greg wrote on :

    well thank you mozilla for help me to be safe IVEN WHEN I HAVEN’T ASKED FOR!!! How do I SWITCH THIS F…G THING OFFFFFF??!!!!! Stop helping peoples who DON’T need help.

  34. Benjamin Miller wrote on :

    Please disable this feature on the latest version of firefox or let us have the option of setting up a expectation list cause most of the sites i am going to i have been using for years and know they are safe now it take me 3 clicks to get into them. Which is a major PITA.

    1. MattN wrote on :

      If you’re seeing this warning then your connection during login absolutely isn’t safe (barring any bug). You should contact the sites to setup HTTPS which is free and easy nowadays and that will improve security for all their users.

      1. Brett wrote on :

        What MattN is saying in a very nice way is that Mozilla does not care about there users enough to give them the option to disable a feature they dont want.

        1. MattN wrote on :

          Not at all, only a minority of users change settings so if it truly is such a bad feature for the majority then adding a toggle isn’t the right solution. It’s also hard to give users a toggle about security indicators when many users won’t understand the security implications. Advanced users already have the toggles in about:config so we don’t need to add a UI toggle for them. We’re listening to feedback but weighing it against the benefits. Please consider non-advanced users in your proposals.

          1. Paolo wrote on :

            The vast majority of the users IS NOT CAPABLE of finding and changing 3 paramethers in the about:config to stop this behaviour, you geek!

            about:config
            security.insecure_password.ui.enabled => false
            security.insecure_field_warning.contextual.enabled => false
            signon.autofillForms.http => true

          2. Brett wrote on :

            Poalo, thats Mats way of justifying why Mozilla does not give a crap what people actually care about. The sheer obtuseness of his responses is infuriating. Honestly I like FireFox even less just hearing the way this guy speaks to people.

  35. Thomas A. Fine wrote on :

    The problem here is that you are making CONTENT-based policy, but you are NOT the content creator.

    All the complaints above, all the use cases you didn’t think about should show you that you screwed up on this one.

    It’s also frightening that you seem to know so little about how computer security actually works. Policy decisions MUST BE made locally. Global security policy decisions always lead to a great many corner case failures as noted above. It also leads to a false sense of security, and a predictable new set of exploits for hackers as the masses are herded into ever-more vanilla security practices.

    Your one-size-fits-all security policy does not fit all. Security, by definition, can not be centralized.

  36. Bob G wrote on :

    As long as we can still use it without https. There are applications that are never meant to go beyond the local internal network that will never use https and have password fields. These are 3rd party apps that will not ever change.

    We have also run into problems with firefox and old certificates that were self generated on appliances and cannot be changed. These are older hard devices that use a web configuration and are cannot be updated nor easily replaced.

    These nice ideas of https everywhere is nice but breaks down when faced with real world apps. Much the same as chrome found out when java refused to budge on the api. Many apps will continue to use java apps and will NOT change them.

  37. ken wrote on :

    Ya, thanks mom. thats great, a stupid warning now for all my sites that have no real sensitive information to protect. Now I get this stupid warning every time I login. you clowns.

    1. ken wrote on :

      Find something better to do, like make Firefox not be so damn slow when starting up. I see it slowly paint icons for extensions, and I have to wait like 5 seconds before I can go to a web site. But thats not important, were going to care about “password reuse”. A problem that can’t even be solved. You morons.

  38. peter wrote on :

    NO MATTN ON some sites I get a drop down .But on HOTMAIL it get a grey padlock with a red line through it and it will not open up!!!regards Pete!!!

    1. MattN wrote on :

      Are you sure that the lack of login suggestions on Hotmail is new in Firefox 52? That may be an separate issue.

      1. peter wrote on :

        Hi Mattn! Yes it just started about three weeks ago one site entry closed me out,and about two weeks later the final site entry failed. I get the whole screen full with just unsecured connection on it !!. No small drop down on HOTMAIL at all, Unlike this site I am using to get to you now!! I can get into HOTMAIL ONLY USING OTHER BROWSERS!!! Regards Pete

  39. John S wrote on :

    Yes – it’s very good to make such security locks – but they will help – what do the people who have an ordinary WordPress block – yes we are of course looking for other browsers –
    I believe that Firefox shoot themselves in the foot with this update – and will go from being one of the largest to shrink to nothing
    How about making a safe ‘when browsing’ instead of destroying people’s experiences on the net !!
    I can recommend browsers such as chromium
    John

  40. Carl wrote on :

    Sorry. I am tired of FF telling me what I can and cannot use. Time to move else where.

  41. Al wrote on :

    How do i remove this annoying insecure password warning!!

    1. MattN wrote on :

      As explained many times on this page: you can go to about:config and reverse the preferences security.insecure_password.ui.enabled and signon.autofillForms.http

      1. Ali wrote on :

        This only toggles the address bar flag and not the nags inline.

  42. Dick Metcalf wrote on :

    Is there NO way to turn this OFF? My users are complaining that they are unable to see my content… on a page that requires NO sensitive information!

    SO – do you have a FIX, other than https:// that will allow users to UNBLOCK this feature?

    1. MattN wrote on :

      If the page has a login form and passwords are sensitive (since users can re-use a password from a more sensitive site) then that means the page is sensitive.

      As explained many times on this page: you can go to about:config and reverse the preferences security.insecure_password.ui.enabled and signon.autofillForms.http

      It would be much easier to setup HTTPS so that the login form is secure though.

      1. steve heller wrote on :

        This ‘solution’ doesn’t work. I still get the warning on my home network, which I don’t want.

      2. michael smith wrote on :

        It would be much EASIER if y’all would remove this feature entirely, or LISTEN to the people who have been critical of this feature and adapt to what WE actually need. Your arrogance, Matt, in your responses have been very off-putting. I’ve used Firefox for years, but I’m dismayed at how user UN-friendly y’all have become. I design primarily WordPress websites for small businesses whose knowledge of the workings of the internet is minimal and since I’ve been recommending Firefox to them I’m now concerned that they will now think that websites I design for them for them are insecure when they actually are not insecure at all. Wordfence and WP-SpamShield gives them all the security they actually. So they DON”T need this annoyance whenever they want to log in and post something to their blog. I guess I’ll have to recommend they change browsers as my clients wouldn’t know a cron job from con job.

        Stop being so self-righteous and arrogant. Thank you in advance for that.

        1. Paolo wrote on :

          Same problem for me too.

      3. AnEv942 wrote on :

        MattN
        Why do you suggest the 2 options to disable feature that do NOT disable the warning box and text folks are not happy with?

        security.insecure_field_warning.contextual.enabled true
        right click and TOGGLE to false. The pop up box with warning will no longer appear. (at least until F/F ‘fixes’ it for us).

        security.insecure_password.ui.enabled true
        This, previously mentioned as a workaround, only turns on the red lock symbol in the address bar when logging in HTTP site. Does nothing to stop the pop up box and warning.

      4. bugdiver wrote on :

        Security is not the only reason to require a password. Some sites are light weight and can only handle a few concurrent connections. To prevent bloggers linking to them or curious browsers from perusing, a simple login/password is sufficient (and in my case, the user does NOT supply the password and can’t change it). It’s ridiculous that a browser should decide a site needs encryption based on requiring a login/password, and if so, it’s going to make it difficult for the user.

        If you really feel this is necessary (it’s NOT), don’t make it so intrusive. Have the warning show up out of the way or at worst, start out covering the login/password entry boxes then move out of the way.

        One other thing, disabling autofill will actually make the problem of a user having one password for everything worse. Most users know they won’t remember a dozen different passwords and if autofill isn’t working, they’re going to use one they can remember for everything.

        For now, I’m recommending my users use another browser. If they really want to stick with FF I’ll tell them how to disable the warning but I’m reluctant to do so because I expect FF to re-enable it in future upgrades.

  43. Graeme wrote on :

    While I appreciate the reasoning behind the change, there should be the option to disable it for specific sites, e.g. home network devices that don’t support HTTPS for there management. Without this, firefox is broken.

    I know I could disable this feature totaly, but I appreciate having the feature active, but I want to be able to disable/by-pass it for specific sites only.

  44. Ken wrote on :

    i want to switch this damned thing OFF. I didnt ask for it and dont want it.it is now causing me extra work on sites that i have used safely for many years.

    Turn the damned thing off or allow an option to do so ourselves

  45. Jack wrote on :

    This has screwed up so many of my saved porn passwords that have fake email addresses. Because of this feature it no longer enters saved usernames and passwords. Give me an option to turn it off so I don’t have to revert to Safari…

  46. Mike wrote on :

    Congrats for making Edge look attractive….

    1. Musicalymia wrote on :

      Haha, ain’t that the truth. Thank goodness my web customers largely use IE and Edge still.

  47. Kelly wrote on :

    I’m sick and tired of Mozilla thinking its job is to force websites to toe its line and enable its prefered methods of security.

    THAT is NOT mozilla’s business. It’s My business as the browser user and the website’s business.

    I want that grey lock garbage disabled from my browser, and I want it disabled now. Mozilla is getting worse in a lot of ways than Microsoft and Google put together and I’m exceedingly tired of it.

    I do not need to be nagged, nannied, and babysat on the net. I KNOW things are insecure. But I’m also quite old enough to take care of my own security. I do NOT need Mozilla to try to do that for me. They’ve overstepped their bounds a lot recently and this is the last straw. The next thing you know, they’re going to be deciding what plugins you can or can’t install because they think those plugins might not be good for you.

    IT’S NOT MOZILLAS JOB!!!!

    Idiots.

  48. Ray wrote on :

    This is just like the NANNY State we live in but now it is the NANNY Internet. I have no issue with Mozilla developing the feature, but when it is forced on everyone regardless of their desire or need it taking it too far. Believe it or not, some of us understand what we are doing and have reasons for not requiring secure logins. I agree a number of others out here, maybe it is time to look for another less intrusive browser or at least one that provides options and not mandates (ya know take it or leave it concepts).

    1. MattN wrote on :

      I have yet to hear a valid, non-malicious reason (other than the small amount of effort) for intentionally not wanting secure logins. Can you please explain your reason so we can take it into account? You can even use a self-signed certificate to get rid of the warning if you’re fine with that warning which you can add a permanent exception for.

      1. bluebolt wrote on :

        Every unnecessary feature adds just a “small amount of effort” over and over until it adds up to “lots of effort” with no benefit. Wrong direction.

      2. PETER wrote on :

        Hi MATTN At 74yrs and not computer literate it takes (lots of effort) to sort this out. I have been quoted by the local I T expert $100 – $150 to come round and fix this mess I have made trying to sort this out myself.. There is a whole generation of pensioners like me who have no idea what a (self singed certificate ) IS .I did a pensioners comp course for a few weeks with a teacher who knew very little who showed us how to use hotmail and that’s it .Keep in mind there is a huge amount of people like me out here and we are all your customers . regards Pete.

      3. Dave wrote on :

        My opinions: Diminishing online safety is threatening to make the Internet unusable. I have been using a computer since the late 1960’s and have worked in pretty much every job you might think of in this industry, including the ones where I had to check in on multiple computer systems multiple times per day to make sure that they were working correctly. Now I would like to be able transition away from having to know all the technical details and just use the tools. However, in my opinion we are still in the dark ages of computing. A long history of design expediency has given us an environment where scammers can prey on uninformed users who really have no choice but to use the technology. It is in our own interests to apply our understanding of the risks and shortcomings to at least “narrow the scoring area” for fraudsters. As technology continues to evolve we too will eventually become (relatively) less informed and more likely to be victims of internet shortcomings. I arrived on this thread in an early morning effort to understand where the warning was coming from. I applaud the effort to partially close this vulnerability. Now if we could only make the certificate stuff (and lots of other things in computing) simpler to use and understand (or even automatic) it would undercut the “establishment” view that the existing, expedient approaches (e.g. unencrypted communication) are unavoidable and should be preserved.

      4. Andreas Hofer wrote on :

        > I have yet to hear a valid, non-malicious reason (other than the small amount of effort) for intentionally not wanting secure logins.

        It has been mentioned in several comments:

        *** Embedded devices in the local intranet. ***

        Not so easy to add https, troublesome to manage certificates for them. Not a small amount of effort, if possible at all.

        Why do they need password entries? To protect ordinary users from entering the “advanced settings” page. No big security needed, just not leave the door wide open.

        We adopted the great new technology. A simple web server in a small embedded device that can barely do more than serving static files to the browser and preparing its data as a json string is all that is needed. Using Angular2 we can make a really great user interface in the browser.

        Using a password entry field felt natural, but there are other possibilities, like presenting a numeric key pad for entering a code. But the direction this is going makes us worry…

        Are on the wrong way? Will it be possible in the future to serve files to a browser from a simple embedded device via http? Will there be a day when broswers start to refuse http completely, because “No one can see a valid non-malicous reason why anyone would want to serve content via http”

      5. Tofe wrote on :

        There are websites that require passowrd fields that are actually email addresses. Some Disqus logins are done this way. It’s always possible to enter a fake email if you don’t want to reveal yours.
        Now instead of auto-completing the fake email, I just get the warning popup. To avoid that, I have to disable the whole warning thing. I don’t see where my security improved, here.

        You will always have corner cases where users are annoyed by your warning. The consequence will be that they will disable it globally. As-is, this feature is useless.

      6. nwse wrote on :

        I have been using Firefox since it evolved from Netscape. I’ve been a software engineer for over 40 years. MattN, your reply above is extremely self-righteous and is perhaps in error. If you’ve read what the users have posted here, you should have been able to “hear” what you say you did not. You must not listen to your users. That is a pity.

        I do not want to switch to another browser. I value the extensibility of FF, that it is open source, that it is not produced by a for-profit corporation, and probably many other aspects of it. There has been some bloat which is quite concerning, and this attitude is also quite concerning.

        I would have to learn a lot of new stuff and spend a lot of time to try to fix the bloat problems and other bugs, but it might be possible. I can’t fix your attitude problem. I hope you will. And I hope you (and other central FF programmers) will improve the code. I will try to look at it, consider what I find troublesome, and seek to make constructive suggestions. I do appreciate the work that has been done. I also appreciate the intention here, but people have presented a lot of reasons to reconsider it. Perhaps you should. Is that possible?

        Thank you very much.

  49. Prakash wrote on :

    Out of the blue, firefox decided that it would prevent login to an external site that I have no control of. I dont care if every one knows my password. It is only a data site and I can always use some xyz123 type password for the website.

    Preventing a loging and not providing a workaround is really a pain, and a draconian measure. Stop being so troublesome.

  50. panin29 wrote on :

    How do I file a bug report on this “improvement?”

    This “feature” is causing my login on a secure company VPN to fail. I’m VPN’d in. The http:// address should work just fine.It always has before. I’m already protected.

    For four days it was a nagging message and I could still log in quite safely, to the htpp:// address with my secure VPN connection in place. Now, it won’t let me log in at all. This is outrageous.

    How are you going to handle complaints like this from hundreds of business users who log into their companies from offsite using a secure VPN connection? Did you not think of this very common situation before you added this so called “improvement?”

  51. Grace wrote on :

    I am not worried about putting my password on this site as it is a one time thing.

  52. Grace wrote on :

    I am not worried about putting my password on this site as it is a one time thing

  53. Harald Demmer wrote on :

    It´s a bit silly that this comment about insecure website appears when I Iogin to my internal fritz.box system. This will never be a https-website, it´s not a website at all. I wonder if anybody could see my special fritz.box-password outside of my (also with a special password protected) wlan. I do ignore the comment in this case. Sorry for my bad English.

  54. Ivan wrote on :

    Bye Bye Mozilla, such a great tool has become useless because its developers are a bunch of tools. You deem sites such as NFL.com and ESPN.go.com as unsecured connections – laughable. I am tired of you forcing what you consider “technological advances” that may work in your IT world but here in real life it adds another level of frustration to everyday people. Going back – sigh – windows after so many years.

  55. steve heller wrote on :

    This is VERY ANNOYING when I log into my router’s web page. It is not accessible from outside my network, being a 192.168.xxx.xxx address, so why am I being subjected to this nuisance? You should be clever enough to exclude non-routable addresses from this check.

  56. Philip Clayton wrote on :

    I am sick of not being able to save password because of this stupid system. I have an account that has been in use for 12 years and nobody has ever hacked it. I use it for betting on horses and EVERY single time I go to the page I have to go through the entire process of loohing on again. I DON’T WANT TO. Firefox is screwing up my personal computer. If I want sites to remeber my details and login password that should be my choice, not yours.

  57. Caro wrote on :

    Luckily this “improvement” is easily disabled or I’d be looking for a new browser. To “assist” developers you are now inconveniencing all the rest of us.

    1. Robert wrote on :

      Pale Moon. I went with that after the STUPID changes to Firefox blocked setting cookies that I need for the rst of the site.
      Iframe populated with https login form. Password encrypted for trip to server where compared to encrypted password from database. Nothing human/machine decipherable. The warnings are BS.

  58. Woo wrote on :

    This may be a good idea for the “average” user, but it’s quite annoying for people who actually know what they’re doing. Thankfully, it’s easily disabled. There are so many fields that FF shows this warning even though they are not even login related (like every second configuration GUI for routers or Asterisk or tons of company internal tools..)

  59. JGBJ wrote on :

    The login page is https but the warning still shows. I log in to multiple pages where this is the case.

  60. Mr Stewart wrote on :

    Should my DSL modem/router be giving me The connection is not secure message? the 192.168.0.1 one?

  61. Dan Tatar wrote on :

    this new feature is Stupid!!!!!
    i am logging on to my Bank, and it is telling me i can’t use my saved password – just stupid

    i am a general user – i don’t want firefox to stop me from using saved password to my fininical institutions.

    Stop trying to help when you create more problems to a general user.

    i can’t understand how to stop this function with the directions.

    Firefox is a really great framwork to use – i love it, but NOT in this case.

    you are hurting the General user who is not a computer geeek, no offence to computer geeeks, but the general user who just want a good serce engin does not need you FORCING me not to use saved password – on a banking web site.

    PLEASE STOP TRYING TO HELP ME – if i goof up — i goof up – you are forcing me to do thing your way and i don’t want that.

    STOP IT !!!!

  62. Graham wrote on :

    This is the stupidest most nannyish idea ever!!!! Consider this scenario. I am a website developer. I log in to dozens of websites of my customers where I have no control over their hosting arrangements and whether or not they choose to secure their site with an SSL certificate. I use a different username / password combination for every site. With this childish, hand holding interference my job has become ten times harder. There isn’t even an option to say “thanks for the warning but I know what I’m doing so don’t bother to tell me again for this site”.

    I know you think you’re helping idiots who cannot be bothered to maintain good password discipline, but frankly that’s their own problem and if they get their passwords stolen, their bank accounts emptied or whatever THAT’S THEIR OWN FAULT! Don’t f**k up this browser for those of us who know what we are about.

    I have used Firefox for over a dozen years now. I love it. But unless you regress this change I will stop using it.

    1. Musicalymia wrote on :

      Hear, Hear!

  63. MIFFA wrote on :

    Ridiculous and an absolute pain in he backside when using FF in a business environment, accessing sites within a locked down business environment!!!

    Give us an option to opt out of this mess!

  64. Kim wrote on :

    This is a seriously annoying glitch, to the point that I would like to revert to the prior version. I get this stupid notice on several sites that I use on an closed network that I have no control over. If I can’t stop this, I will have no choice but to switch to a different browser. Please don’t fall into the Yahoo trap of “ooh, isn’t this cool” without considering how it will affect the average user.

  65. Radek wrote on :

    i have updated on Ubuntu Firefox yesterday and i have not suspect to can’t store login and password.
    I understand that thing sites must use https (SSL/TLS) on pages with forms and notifications are correct
    but i have not suspect i can’t store password. It do not protect users before theft logins, passwords.
    It is only blow in the users because i can log in but i can’t store. In the world are other webbrowsers i can use other, many peaople ask me why you use Firefox, Chrome is better and until now i haven’t reason to migrate to Chrome or any other wbbrowser. Password manager is important for me and i think for many other people and that will hiccup for Mozilla.
    Even on Firefox for DEV i can’t store passwords on none crypted sites.
    The solution is in config give possibility to set trusted IPs separated by ‘,’, or by ‘;’ for many IPs.
    I do not update Firefox on other PCs untill i have solution like above and if i will wait too long then i migrate and tell everybody else to change webbrowser.

  66. Craig wrote on :

    While the technical and security reason for this change is noted, the impacts caused to commerce are already significant. For some they are trapped in an environment which is not easy to change over night, in some cases not possible at all, however take the example where an http site uses a one shot password, the information is of minimal value during that session, the payment gateway redirects to an https site where the visitors payment details are never seen by the http site. Also mechanisms built to track the users typical details such as IP address and Geo-location which alerts sys admin to unusual behaviour. Password rules that ensure that it is unlikely that the user reuses the same weak password on our sites because of strong password rules.

    These are all procedures that we have implemented since 2004 and can say that customers data has never been breached, we monitor hourly 24 x 7.

    Why have we done this, because we are trapped in an environment which is difficult to move from, and we understand that login details are insecure in http, but with that understanding and constraints we have been successful in preventing unauthorized access and data through our web security code has blocked any attempts.

    A majority of uses know what the padlock means, to impact the password field with your warning is over the top when we have addressed the issue with that understanding, and FireFox is now in a destructive way turning commerce away for a majority of sites.

    A heavy handed approach is not the solution.

    1. Musicalymia wrote on :

      Amen!

  67. Carl wrote on :

    This is stupid. Not FF place to determine what I use or were I go. Used to be a great thing now it’s just a nanny state. Time to listen to the folks who use our site and not what you think they want. If I go to a insecure site and have info stolen or computer corrupted are you going to pay for repair ? I DON’T THINK SO. So in that case stop the games. You are losing users and just plain making people unhappy.

  68. joe wrote on :

    I get this message when going to my local blueiris server at 192.168.x.xx I don’t see why it should get that message. Wouldn’t you need to be on my network to steal/intercept the password.

  69. ExGamec wrote on :

    This notice is suck. Manytimes I clicked on it and a popup windows was opened in stead of right username from saved form. This is real SUCK

  70. sherry fundin wrote on :

    You took a good thing and made it SUCK!!!!!!!!

  71. Michael wrote on :

    I know it’s going against the trend but I’m with Mozilla on this one. And yes, I do have a website which is now showing the message but because clients can login and spend money it will need to be corrected. As it stands our customers are not receiving the fully secure environment they are entitled to.

    Some of the comments above have spoken of moving to other browsers. That’s removed the warning message for them but the site they’re visiting still has the same security vunerabilities it’s just that they are no longer being made aware of them. So it becomes a question of choice: surf in ignorance of the vunerabilities or suft with the knowledge that if you proceed to login your details may be compromised.

    Personally, I think given the attention this issue has received it wouldn’t surprise me if the other major browsers start implementing this feature too after all they won’t want to be see as not caring about their users security.

    I have to agree with some of the comments above (not the vitriol) about the way this has been implemented. Personnally, I think a simple toggle button on the toolbar would have been sufficient to implement the two choices: surf in ignorance (toggle red) or surf securely (toggle green). The first would give the user the same experience they had prior to this, the second the new security alerts.

    From my own personal experience a lot of users don’t pay much attention to security becuase they expect it to be implemented as and where necessary to protect their details. Many websites that are showing these issues would have been built with the best understanding of security their creators had at the time. I my case the approach was the recommended technique at the time for implementing our login box Clearly, that was insufficient if the warning appears but it’s not Mozilla fault for pointing out the problem.

    Shoot the messager, I think not, we should be thanking them for bringing this issue to the attention of the web.

    1. Musicalymia wrote on :

      It should be up to a website developer to properly secure their website. A developers lack of due diligence should not cause the rest, who have followed proper protocol to have to deal with the problems this new “feature” causes. That is silly. If you don’t have an SSL on a portal that collects sensitive information then SHAME ON YOU! But, don’t spite me in the process. That is a horrible way to go about it.

      1. Michael wrote on :

        The way I’ve rationalised it is like so: who is affected by the week security on some websites? At the end of the day it’s the user, not the website developer, who ends up with their bank account emptied or their precious online data stolen. The only tool between the user and the website is the web browser. So where best to alert the user to potential security vunerabilities but at this common junction.

        I fully agree that this feature could have been better implemented but at the end of the day either security is important or it isn’t. Certinally, over the years I’ve seen security become more and more prominent. There are things not allowed today which only a couple of years ago were the norm.

        People appear to be taking this personally, as if somehow it’s pointed a finger at them and said “you don’t care about security” whereas the issue is a bit more complex.

        Sites that carry out commercial dealing with people or retain information of a sensitive nature should always implement the best security they know about at the time of writing or updating their sites. It’s certinally no reflection on them, or the site developers, if the security landscape changes in the future unless they ignore the need to adjust to the new requirements in a reasonable timeframe. If sites do not take steps to protect a users information why whould users continue to give them their business?

        There are sites out there which require login but which doen’t really store any sensitive information. Hard to say what’s the right approach here but equally how can a browser differentiate between this type of site and a commercial one. From the browers perspective, the page is asking for username and password details but the page is not https.

        No one who moves to a different browser to avoid the security message is any more secure than under Firefox, they will simply be unaware if a site poses a potential security risk!

  72. Opsimex wrote on :

    I’d like to add my 2 cents here. I’m a network admin. A site I manage has a couple of internal sites located within the same virtual host on the same virtual wire.

    One of the sites is for an internally hosted company email server and the other is the internally hosted helpdesk. The users accessing these internal sites are all on a virtual terminal server, all of which reside on the same virtual network segment.

    I have to say I was so proud of the users that reported this new Firefox “feature” – they wanted to know if it was ok to sign on to the same (internal IP address) email URL they’ve been using all these years. I told them no, it is NEVER safe to ignore security warnings.

    Another texted me saying hey, I was gonna do a ticket on the email error, but I got the same “error” on the help desk login. Is it safe?

    Again, I answered no, it is not safe to ignore security warnings.

    So, my quandary. The users responded to the new warnings generated by Firefox as they have been repeatedly trained to do – they stopped doing what they were doing and called IT. And I had to effectively shut down email/internal IM communication because security exceptions are a very very slippery slope with users. I refused to grant any exception.

    I have a quick work around – I changed the URL on the terminal server public desktop profile email shortcut to point to the external URL that only responds to HTTPS and has a public cert. That has issues of it’s own, but they are unrelated to HTTPS and this topic specifically. It will work for now.

    As to the helpdesk webpage – suffice it to say I am not buying a @#$@%#^%@ cert for it.

    On the long term I will likely change the respective shortcuts to force IE 11 for these internal sites. IE 11. Let that one sink in FF crew.

    Unintended consequences are a bitch. Provide a way to white list URLs.

    Do not tell IT to go buy something – IT dollars are more precious than “precious” in the real world.

  73. Frank wrote on :

    All your angst about re-use of passwords is just plain foolish.

    I have been telling people for years that they need only two passwords – one to be used on all sites that do not have sensitive information (forums, news sites, etc) and the second for use ONLY for sites with sensitive information (banks, credit card companies, etc). The second must be very difficult to guess, created with all the safeguards possible (alpha and numeric, upper and lower case, punctuation, etc).

    It is then not at all important if the first password is stolen/cracked; but the second must be kept secret and changed fairly regularly. As the second is only used on a few sites, change is easy.

    To suggest that passwords should not be re-used is pretty stupid – if every site needs a different username/password pair then inevitably the details will be written down somewhere. And for most people the biggest threat is the old problem of theft, particularly of laptops. So your house is burgled and the thief walks off with your laptop and the post-it stuck to the lid with your usernames and passwords!

    And don’t suggest some password repository/software. With all the hype over hijacked information from “secure” sites, many people will simply not trust any third party storage of sensitive information.

  74. Musicalymia wrote on :

    Trash Trash Trash. You are only thinking of yourselves and covering your butts. You need to start thinking from the Users perspective. You can’t expect web devs to walk every user through turning off this STUPID notification. They don’t understand it. I get calls daily now about it from our web development customers. They just see a warning. It is alarming to them. They have no idea what it is about or what it does. SHAME ON YOU FIREFOX. You are screwing developers. It should be up to the website developers to properly secure their websites. It is not your job to be internet police. You are supposed to make a user friendly internet browser. Not a warning system for every tiny thing on the internet.

    I urge you to reconsider this horrible eye sore of a notification. I could handle the address bar icon. But this is too far. It looks more like you are trying to control the internet this way. Chrome is looking awfully good these days…

  75. Aurora wrote on :

    This suggests that it gets more and much more
    applied to the enhanced blood flow to your penis after using the
    pump, and starts off to adapt so it has a larger blood capability.

  76. imwilk wrote on :

    Clearly Mozilla has decided they know best. Every were you look where this feature is discussed the majority are either against it or have shown where the implementation is seriously flawed. Yes when the browser mistakes a crossword puzzle as a password entry panel there is a problem. But beyond that, was it not Mozilla that asked everyone to go away from certain other browsers because they were pushing things on us? We don’t need Nannies nor is it the place of the Dev’s to insert themselves as Nannies. What’s next, a block that will not allow us to put in a password on a sight not deemed secure by the Mozilla Dev team?

  77. John Jensen wrote on :

    As a very security minded user even I want to know how I can turn this nonsense off.

    People readily use their insecure cell-phones for communicating on the internet, even using Google who openly states that they register every single step and read your mails. For the same reason my phone has never been, and never will be, on the internet.

    Of course we reuse passwords – who on earth can remember 20-25 different ones, expiring at different times and having different rules, without using the “remember password” function? Without knowing I guess that can be hacked too.

    I was IT manager in a very well-known global company who had very strict rules for the many systems users were using simultaneously. Different user-names, different passwords of military strength. But not more secure that most had them written on a post-it under the keyboard or in a drawer as it took 3 days through registered mail to obtain a new one when you forgot. Solution? Users used the colleagues thus short-cutting everything created with the best intent, but forgetting that is was to be used by humans.

  78. dsponu wrote on :

    Is there a way to disable this stupid and ridiculous crap. Its on a website I don’t care about and it is just a stupid game. If i don’t want firefox telling me to basically not use the site, I should be able to turn this useless and annoying function off. I ONLY used firefox for this one game site but clearly you don’t give a crap about your users and force as to use absolutely ridiculous features and don’t even give us the option to disable this stupid function. Guess I will no longer be using firefox until this is fixed.

  79. NCAA Final Four wrote on :

    Hi to every one, the contents present at this web
    page are in fact remarkable for people experience, well, keep up the nice work fellows.

  80. Boba Fett wrote on :

    My phones are tied up…my time is wasted…Mozilla owes me a big paycheck for having to explain this mess that they’ve made to my customers that are scared as hell that their Firefox web browser is notifying them that msn.com (among many others) is “not secure.” Many are convinced they have a virus or that someone is hacking their home computer because of this stupid update Mozilla decided to do… Here’s what mozilla has accomplished for your basic, no-nothing, internet web surfer… they’ve just increased business for these fake fraud scam remote “tech” guys who will play along with the thought that these people are infected and proceed to charge them hundreds of dollars for doing nothing but adding to their fears. I’m no longer recommending Firefox because I know all to well the sad truth of how ignorant and easily scared these people are. Mozilla, you just added to the remote tech fraud plague that’s been going around…GG

    1. Boba Fett wrote on :

      I knew I shouldn’t have come to work today…April 1st even…

  81. Patricia wrote on :

    I have a web site via WordPress and have had for years. Now getting the Mozella insecure site message when I log into my administrator account with them – never did before. Hard to believe that WordPress is insecure. Does anyone know if this is true? And how do I get rid of the message so I can log in normally
    thanks
    Pat

  82. selestine january wrote on :

    how can i open access if i have forgoten the password

  83. Sap wrote on :

    Security cameras, home routers, cheap NAS, home network printers, Access Point, etc. are not supporting SSL/TLS. Do Mozilla’s developers really thinks they can rule the world and by adding a such annoying with no disable button capability will force Chinese producers and vendors include secure protocols on their devices? I don’t think so, it will just annoy the final user of the browser and make it move it to another non-bothering alternative such as Google Chrome. Why not just create a RED ESCLAMATION MARK next to the password field? Why not just surrounding the password field with a red or green border to highlight the insecure or secure interaction? Why such a BIG BANNER covering the fields below the password fields. Guys you should calm you ego down and think twice… Last post using Firefox, moving to Chrome or Opera.

  84. car insurance wrote on :

    I like the helpful information you supply for your articles.
    I’ll bookmark your blog and take a look at once more here frequently.
    I’m reasonably sure I will learn lots of new stuff proper here!
    Good luck for the following!

  85. Angry wrote on :

    LET ME DISABLE THIS SHIT!!!

  86. Irritated wrote on :

    There I was blaming Oracle again and all the time it was Firefox screwing up my life. Not only does it cause problems at log in but Oracle now takes a few attempts before it will log in successfully. Nice one! Time to switch browsers? Alternatively the option to “disable” would be nice?

  87. name wrote on :

    Why enforce without beta testing and making sure it works before roll out. As usual it is we who are the beta testers.

    So we set this and forget it forever like many other firefox settings that have been set to work around firefox problems or bugs.

    You can remove it yourself by setting this pref to false: security.insecure_password.ui.enabled

    Setting signon.autofillForms.http to true will get you autofill on insecure websites back.

    I did read this and ythough yes but if was to be a preference in the settings Ui would be much easier to manage.

    security.insecure_password.exception_ranges = (IP address or range notation)

    Examples:

    security.insecure_password.exception_ranges=192.168.0.0/24
    security.insecure_password.exception_ranges=192.168.0.0/24,192.168.5.1-192.168.0.5.3
    security.insecure_password.exception_ranges=127.0.0.1

    As usual firefox/mozilla doesn’t think of the end user. Someday can we have back the browser we prefer that is not intended to be some mobile browser. This is said with all previous options and preferences not popup types or seperate page types. I know add-ons etc but they are soon all gone.

    What of the old add-ons is firefox going to have an archive of those we can download including their add-on page. Sometimes even if you think it is for the better we need to use something that isn’t. That s our choice not yours. As this example enforcing something without thinking about it first, making sure it works where and when also how does the user manage it.

    Final is firefox under new managment over the last dektop browser many years trying to be a mobile browser. Changing drastically the loook and feel of the browser for teh worse. to cap it all of now wants to be a google browser. If we needed another browser we would use one. Likewise if we wanted a shit browser we would ahve asked for that but didn’t expect firefox to go the way it has.

    If it was not for NoScript I would have stopped using firefox long ago. But google owuldn’t have me likes to harvest my our data to much. Ie no says it all. Opera no thanks not many left and what there is are only clones of what is. Damn have to stay with firefox until there is better and noscript suite add-on available to use on it.

    NoScript Suite should be an add-on available for every browser now and forever since it is very needed. And if ever incorporated in firefox would be the end of it I guess or some firefox-mobile-google-type desktop browser no one wants to use.

    By the way why does the browser sit tehre forever spinning away getting nowhere fast. Is this some bug this is something that I hate already weith newer firefox, damn it is slow at getting anywhere on thh web.

  88. kathleen wrote on :

    I cannot stay logged into my online university library. I will do a search attempt to get the full text version of an article, and it knocks me off and then I have to resubmit my password, It seems to shut me off everytime I try to connect to the full text! any more.

    This is messing me up as my entire course is on line, and all access on line, and I am rejected time time again off my library. I cannot get the literature searches completed for my papers etc because of it. The school had even recommended Mozilla Fire Fox browser for best function of black board etc, but I am so frustrated. Can we turn this off, or do I just have to use another browser?

  89. GeorgeF wrote on :

    I don’t know if anybody at Firefox is still monitoring these messages, but one page on my website is getting flagged by this thing as insecure, and I have no idea why. It does not employ any login or password.

    In general, though, it seems to me that you should consider implementing a whitelist of some kind, to allow users to keep logging in at sites that do not involve sensitive information but only use a login procedure as an alternative to storing cookies. In addition to the intranets and such that folks here have already complained about.

  90. Anthony Bodo wrote on :

    Tanvi, I have to log in to my own website and I get the error “Insecure password warning in Firefox”.
    This is absolutely ridiculous.
    Do you have any idea what security is?
    Well I will explain you in 1 statements with my 30 years in the IT industry.
    Bellow is the 1 statement.
    The problem is the computer, networking and data communications industry has been monopolized.
    Why don’t you look back in the computer networking and data communications industry and stop brainwashing me with your security crap.
    If you have any questions you can contact me at anthony.bodo@gmail.com

    Anthony Bodo

    Pure Energy LLC

  91. mirror wrote on :

    Ah, so this is why suddenly none of my saved passwords will load in Firefox. I’m not even lucky for it to show my username when I click on the field, I have to enter it manually before it will populate the saved password. I dont care what people steal from logging into these sites. I need them for work; they have no personal information and I dont stupidly repeat my ‘whatever’ password on important sites like my bank account. Guess I’ll go to Chrome.

  92. Ian wrote on :

    Can we turn this feature off, or at least have it configurable.

    I understand why it as been brought in, but Mozilla is becoming more and more Big Brother, imposing features that some techie thinks is needed. It used to be for the people, offering flexibility to the user. Now edge is far better and this has gone down the pan and become another IE.

    Always think of the customer/cnsumer – you used to!

    1. Ian wrote on :

      PS security.insecure_password.ui.enabled does not work I still get the warning with it set to false!

      1. AnEv942 wrote on :

        security.insecure_field_warning.contextual.enabled true
        right click and TOGGLE to false. The pop up box with warning will no longer appear

        security.insecure_password.ui.enabled true
        This, previously mentioned as a workaround, only turns on the red lock symbol in the address bar when logging in HTTP site.

  93. Thoát vị đĩa đệm Sài gòn wrote on :

    It’s a shame you don’t have a donate button! I’d
    certainly donate to this brilliant blog! I guess for now i’ll settle for book-marking and adding your RSS feed
    to my Google account. I look forward to fresh updates and will share this site
    with my Facebook group. Talk soon!

  94. joergy wrote on :

    The majority of our customers don’t understand that “insecure field warning” is not coming from our web application but from their servers. So we are blamed and loose customers.

    Those who activate HTTPS on their site especially with 301-redirection from HTTP to HTTPS run into other problems with certain clients. Because not all clients already support name based HTTPS (SNI server name indication) connections.
    To adapt our clients to SNI costs us 1.5 man-months. Costs we can’t explain or pass to our customers.

    Thank You Firefox for damnifying our company!

  95. news wrote on :

    Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your weblog?
    My blog site is in the very same area of interest as yours and my visitors would definitely benefit from a lot of the
    information you provide here. Please let me know if this alright
    with you. Regards!

  96. Valery wrote on :

    I propose a solution.
    1. Download version Firefox 50.
    2. To turn off automatic updates.
    3. To install a version of Firefox 50.
    4. To remove the current version of Firefox.

  97. AnEv942 wrote on :

    Tanvi Vyas
    What the heck? Just upgraded. Ya know there was a reason I switched from IE to Firefox…
    New added features should at minimum have the ability for end user to control-regardless
    of how powers that be Know whats good for us. I thouhgt Mozilla was a communtiy unlike MS that actually listened to its users?
    Searching for information and finally finding this reference to disable just shear luck.
    resorting to about:config should NOT be the option.

    about:config find 2 settings below and toggle/change Value
    Setting
    security.insecure_password.ui.enabled false

    Setting
    signon.autofillForms.http True

    Still window with text comes up…where is content of the text stored?

  98. Igor Levicki wrote on :

    Another retarded move from Mozilla developers who think they are God given and know everything better than their users.

    This warning will trigger even for a form which is submitted over HTTPS if login page where the form is located was fetched over HTTP.

    I am all for TLS everywhere, but with things like this you are just annoying users and conditioning them to ignore the warnings.

    As for “buy domain and get certificates for LAN” this is the most retarded thing I ever heard. Not everyone knows what the domain is (hell they even might not know difference between LAN and WAN), much less how to get certificates and no, they are not cheap and setting up your own CA and issuing and loading certificates to all your devices is a damn chore even for me who is a writing code since 1982.

  99. Terry wrote on :

    Oh dear, well intentioned actions, but the warning covers the password field on every site, even logging into my own Freenas server, is now a pain, (perhaps I`m phishing myself!), this is a really well intentioned move, but as they say the road to hell is paved with good intentions, and are you really naive enough to believe all these sites will change overnight to HTTPS because you demand it? if so you need to get out more,is there really no other way to change whats broken other than forcing your users into a conscripted army of moaners, I know this is important but WE really have no control over other peoples websites, and if you are suggesting we boycott EVERY site that refuses to use HTTPS then you clearly are living in la la land, you really need to reconsider this ill considered move

  100. Thomas wrote on :

    More than anything, this is merely an employment scheme for programmers (like many of the so called ‘improvements’). These browser warnings will hurt website owners more than any unsecured web page that does not really transmit sensitive data as uninformed users will be scared away. Not to mention the performance drop of the website (according to my tests the load time increases by at least 50% on a shared host) I reckon the next suggestion will be for every website owner to purchase a dedicated server for their website in order to improve performance. Web hosting companies as well as certificate issuers will be already rubbing their hands (Lets Encrypt may be free but is not recommended for ‘mission critical’ sites according to our web hosting company).

  101. Howard E. morrow wrote on :

    HOW can I make the https appear?

  102. RickH wrote on :

    I see so many references to using Lets Encrypt. So alright I am going to give it a try. GOTCHA! My sites are hosted at an internationally known company and it doesn’t support Lets Encrypt. So stop saying Lets Encrypt solved this problem. It may for those of you who use Joe’s Hosting. So now I need to buy an SSL cert from a real company and pay for it yearly for something I dont even want or need. By the way none of my sites use or require logins. However Firefox detects the form submission used for changing from page to page as insecure. In this form this idea was not properly thought out.

  103. Tha Cleaner wrote on :

    Clearly shows that FF did not have a good idea what the impact for this would be.
    Internal sites should be by default excluded. Now with all Internal sites, we get this message. No central manamant possible to disable this is. On every FF browser on all my PC’s I have again this issue.
    On my work, SD performs a profile reset => FF messages are back, and a new SD call is made.
    Very user unfriendly.

    Lucky we also have Chrome, that has a lot better solution/implementation for this and is now your advice for our end users. Use chrome and your issues are gone.
    It also has a more stable user interface and less “addons” that you don’t need. It a webbrowser, that works.

  104. AnEv942 wrote on :

    Finally found setting to make the box and text not appear. Why was this simple toggle not mentioned for those who do not want to be reminded that HTTP login is not secure?

    Type about:config in the address bar- accept the risk
    find
    security.insecure_field_warning.contextual.enabled true
    right click and TOGGLE to false. The pop up box with warning will no longer appear

    find
    signon.autofillForms.http false
    right click and TOGGLE to true. Login in field(s) will auto fill

    find
    security.insecure_password.ui.enabled true
    This, previously mentioned as a workaround, only turns on the red lock symbol in the address bar when logging in HTTP site. Toggle value to false turns it off. Does not interfer with logging in so I toggled back to true, I can live with that-

  105. WilmaAdams wrote on :

    I have never had this problem before. Can you help me? Wilma Adamas

  106. William wrote on :

    I don’t even understand the difference between HTTPS and HTTP 🙁

  107. Frank wrote on :

    Since firefox updated I am NOT able to enter and reply on this web site. I have looked all over for a way to allow me the excess this site but all have failed. THIS SUCK THANKS

  108. ted wrote on :

    I have to say, I am baffled by this thread. I am a non-technical person who runs a couple of WordPress blogs for professional purposes. It took me very little time and effort (and no money) to obtain Let’s Encrypt certificates for my sites. If I can do it, then I have to believe that the folks who have angrily commented and who say they are professional developers can do it. It also seems to me that a lot of people who have commented don’t really understand the risks to their users, particularly given the human tendency to reuse passwords. As a customer, I would not really want to do business with folks who are as cavalier about my username and password as some folks on this thread seem to be.

  109. spanish to english wrote on :

    Firefox determines if a password field is secure by examining the page it is embedded in

  110. lambanghieutoanha.com wrote on :

    Thank you for this article. I have a question is betweeen HTTP and HTTPS which protocol is faster than ?

    1. Joey Jr. wrote on :

      HTTPs protocol is faster!
      HTTPS uses very strong public-key cryptography to encrypt the connection between a client (often a web browser) and a server. No one but the server and the client can know what is being communicated. That requires an SSL certificate, which serves to verify the identity of the server via a certificate authority and provides the keys that are used to encrypt and sign data. Especially, the display in Firefox 51 is very good!

  111. John wrote on :

    I am having the same issue as some here. Cannot connect to my firewall webmin page which is internal and not accessible from the internet and IS setup to only allow ssl connections (which firefox is refusing to connect to and not even allowing me to “add an exception” like it used to-why not, isn’t it my fucking choice here????) so I cannot now use Firefox for a normal http session to connect to my firewall and my two AP’s. How can I manage and troubleshoot my own fucking nextwork without being able to access the webmin pages of my devices? Can someone at firefox PLEASE tell me that???

    Well, I CAN TELL YOU HOW-I AM USING FUCKING CHROME and after this post will simply uninstall firefox–buncha hypocrites-sending me all that crap about freedom of speech and BS and then locking me outta my own fucking network devices because of some stupid fucking bullshit…

  112. ESNART KAITANO wrote on :

    I am failing to log in my password to continue filling the Enrollments forms

  113. Dennis Homant wrote on :

    As a user I am going to stop using Firefox. this is the most annoying feature I have run into and I cannot shut it off!

  114. sULABH wrote on :

    I Am using for my website NetSuite so don’t need a TLS Certificat and it’s a secure site but FireFox giving this warning of insecure on password field in my side for my users then how can I prevent this popup on for all my users

  115. Monthly Calendars wrote on :

    Web hosting companies as well as certificate issuers will be already rubbing their hands (Lets Encrypt may be free but is not recommended for ‘mission critical’ sites according to our web hosting company).