Hello admin,
I'm using Firefox 52 and now when I login, my browser warns me of non-secure HTTP Login [1].
Login should always be done over secure channels (HTTPS, TLS).
Also there is Let’s Encrypt [2] that issues free certs (not sure if it's suitable for a big site)
[1]: https://cheapsslsecurity.com/blog/firefox-52-will-warn-users-for-non-secure-http-login-pages/
[2]: https://letsencrypt.org/
I'm using Firefox 52 and now when I login, my browser warns me of non-secure HTTP Login [1].
Login should always be done over secure channels (HTTPS, TLS).
Also there is Let’s Encrypt [2] that issues free certs (not sure if it's suitable for a big site)
[1]: https://cheapsslsecurity.com/blog/firefox-52-will-warn-users-for-non-secure-http-login-pages/
[2]: https://letsencrypt.org/
Yes they are trying to scare people FOR NO REASON!!!!!Pano said:I am also seeing this. We will have the backroom guys have a look at it. Nothing here has changed, as far as I know. Firefox seems to be the change.
ALL SITES ARE NOT SECURE.... Even with HTTPS,the elite can still see everything!!
I hate firefox,always have...... DONT LISTEN TO THIER SCARE TACTICS PLEASE GUYS!!
One VBB site I am on does have an HTTPS layer so if ppl want to use HTTPS they can (And the site stays in an HTTPS session) but they dont force it because it causes all kinds of connection problems for older browsers,etc........... (Unless RC4 is enabled)
Last edited:
Do not use the same username or password for insecure sites as you use for shopping/banking etc. It is a valid warning that serves as a reminder not to do this.
https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861
https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861
Any site that does not use https seems to generate this warning IMLE with the latest version of FF. They should allow you to turn off this nag through the options dialog but they don't. They could have been cleverer and just flashed green for https and yellow for http. The fact that it seems to be less and less compatible with a lot of the web based tools I use at work in particular is forcing me back to microsoft.
You can easily disable it in Firefox 52.
(1) type about:config into the navigation bar.
(2) accept the risk
(3) search for the preference security.insecure_field_warning.contextual.enabled
(4) double-click on it to change the value to false
(5) restart Firefox.
The warning will be gone.
(1) type about:config into the navigation bar.
(2) accept the risk
(3) search for the preference security.insecure_field_warning.contextual.enabled
(4) double-click on it to change the value to false
(5) restart Firefox.
The warning will be gone.
Ya I did like firefox V1.5 but it went downhill FAST and now is just over bloated garbage and its sad........ A program go from something SO GOOD to crap. (Although the same thing happend with MyIE -- It was a gorgeous IE Wrapper and became crap (Last version of "MyIE2" is the last good version (Before name change to Maxthon))
Invalid certificate?
I dug a bit further. If one attempts to login securely (i.e. https://www.diyaudio...etc.), more information appears. Firefox finds an invalid security certificate, apparently an unfinished dummy, based on the data (company = "My Company", expiration date 2010). Could this have anything to do with Firefox throwing the warning?
"www.diyaudio.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.diyaudio.com. The certificate expired on Saturday, January 9, 2010 5:15 AM. The current time is Wednesday, April 5, 2017 10:29 PM. Error code: SEC_ERROR_UNKNOWN_ISSUER"
A screenshot of the certificate data is attached.
I dug a bit further. If one attempts to login securely (i.e. https://www.diyaudio...etc.), more information appears. Firefox finds an invalid security certificate, apparently an unfinished dummy, based on the data (company = "My Company", expiration date 2010). Could this have anything to do with Firefox throwing the warning?
"www.diyaudio.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.diyaudio.com. The certificate expired on Saturday, January 9, 2010 5:15 AM. The current time is Wednesday, April 5, 2017 10:29 PM. Error code: SEC_ERROR_UNKNOWN_ISSUER"
A screenshot of the certificate data is attached.
Attachments
Firefox finds an invalid security certificate...
I'm getting the warning now too, as of a few minutes ago. An expired security cert on the server was my first guess.
The site has never had https it has always been insecure.
Just a word of advice for anyone using any internet service. Do NOT use the same password everywhere. Especially do not use a password that you use for secure transactions, eg paypal, banking, whatever on any other site!!
You should consider any site you login to with http (does not show the little padlock beside the url) as being completely insecure and those login details easily captured.
Tony.
Just a word of advice for anyone using any internet service. Do NOT use the same password everywhere. Especially do not use a password that you use for secure transactions, eg paypal, banking, whatever on any other site!!
You should consider any site you login to with http (does not show the little padlock beside the url) as being completely insecure and those login details easily captured.
Tony.
FYI, we'll be upgrading to HTTPS in the near future. A lot has changed since the site was set up initially, and IIRC we didn't bake in HTTPS to our Apache config in order to help keep the site as fast as possible and take encryption load off the server. That's not really a consideration these days, so we'll definitely implement HTTPS as soon as we get a chance.
Great news, I'm very glad to hear this.we'll definitely implement HTTPS as soon as we get a chance.
-Gnobuddy
Please dont force it Jason...Jason said:FYI, we'll be upgrading to HTTPS in the near future. A lot has changed since the site was set up initially, and IIRC we didn't bake in HTTPS to our Apache config in order to help keep the site as fast as possible and take encryption load off the server. That's not really a consideration these days, so we'll definitely implement HTTPS as soon as we get a chance.
Some browsers will not be able to directly connect if you only allow HTTPS.... Its not needed on a site like this!!!!
cellar.org has an HTTPS layer but they also allow http:// for those who cant or dont want to use HTTPS there........
Any update on this?FYI, we'll be upgrading to HTTPS in the near future. A lot has changed since the site was set up initially, and IIRC we didn't bake in HTTPS to our Apache config in order to help keep the site as fast as possible and take encryption load off the server. That's not really a consideration these days, so we'll definitely implement HTTPS as soon as we get a chance.
- Status
- This old topic is closed. If you want to reopen this topic, contact a moderator using the "Report Post" button.
- Home
- Site
- Forum Problems & Feedback
- Login not secure (over plain HTTP)