Insecure password warning in Firefox

[Mach]

Hi Songcrafters,

I'm not sure if this is anything to worry about, but for those who use Firefox are you getting a pop up in the log in window on this site? This just recently started after a Windows and a Firefox update. I haven't noticed it yet on any other sites where I log in. My version is 52.0.1.

Didn't we have the https:// in the past? I can't remember.

https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

[launched]

I don't remember this site ever being SSL secure, and never really thought about it until now. Hmmmm

[Mach]

I don't remember this site ever being SSL secure, and never really thought about it until now. Hmmmm

Me either Mark. It think it's just a Firefox thing with their crazy update rituals. When I saw that it just put up a red flag because I've never seen it before. I believe Google also did something like this in the past.

[T.C. Elliott]

Here is an article about the change from the developers of firefox:

https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

Here is another article referencing both firefox and chrome:

https://www.thesslstore.com/blog/firefox-chrome-warning-about-insecure-login-pages/


I haven't found instructions for disabling the feature (I'm at work and limited on mess around time) but it's really just a nuisance at any rate. Both browser developers are trying to get webpage designers to use https instead of http sites.

[launched]

I believe Google also did something like this in the past.

That's what I use, Chrome made it a lot more difficult to get into a site with a self signed or expired certificate. And now there is an "i" next to an unsecure "http://" site url with options to allow certain functionality like java scripts, etc. But you can get right in.

Ideally we should all be using a separate computer for forums and social media, and keep our work/bill paying computers separate. I don't know if anyone can find the Craigslist "Porn Computer" listing - It's pretty funny and kinda like that!

[64Guitars]

That warning is just a new "feature" of Firefox 52. It doesn't mean there's any problem with the site. It's just a warning to let you know that anything you type into forms (such as your username and password) are unencrypted. So any hacker eavesdropping on your connection could potentially steal your information.

Songcrafters and many other websites and forums have always had an unencrypted connection. Many major sites still do (the BBC website is one example). If it's good enough for the BBC, it should be good enough for us.   Still, I will update the site to use encrypted connections in the near future, provided it doesn't cause us any major problems. For example, it might break links throughout the site that begin with http://songcrafters.org since the new, secure URL will be https://songcrafters.org. Although, I'm hoping I can redirect the old URLs to the new, secure equivalent. We'll see.

[64Guitars]

I still haven't looked into switching the site from http to https yet. But I came across an article today which shows how to disable this new "feature" of Firefox so you'll no longer get the warning message:

https://www.ghacks.net/2017/06/13/firefox-disable-this-connection-is-not-secure-warnings/


Basically, it boils down to this:

1) Enter about:config and search for security.insecure_field_warning.contextual.enabled.

2) Toggle the value from true to false.


Additionally, you can enable auto form fill for http pages with this:

1) Enter about:config and search for signon.autofillForms.http.

2) Toggle the value from false to true.