3 min read

Login form on your non-HTTPS webpage? Firefox will display a warning

Graham CLULEY

January 29, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Login form on your non-HTTPS webpage? Firefox will display a warning

Do you run a website that asks your users to login to their account? If so, do you request those login credentials over HTTP rather than HTTPS?

It turns out that many websites do, including some big names who you would think would know better.

For instance, British supermarket Waitrose and the Royal Mail.

royalmail

Now, it is possible that the developers of these websites believe that they have protected users’ passwords from hackers by ensuring that anything entered into those fields is posted securely via an encrypted HTTPS connection, but as security researcher Troy Hunt explained a few years ago there is still a problem.

As Troy demonstrates in the above YouTube video, transmitting login credentials over HTTPS does prevent hackers from snooping on the network traffic and grabbing users’ passwords, but it doesn’t stop a man-in-the-middle attack from stealing the password as it is entered into the unsecured HTTP form.

The answer is simple. Put your login forms on HTTPS pages, not HTTP pages. If you are not able to move your entire website to HTTPS just yet then at the very least create a separate login page that is served via HTTPS.

In an attempt to encourage web coders to make their sites safer for users, the latest developer edition of Firefox now warns when you visit a non-secure webpage that includes a form containing a password field.

And, if it finds one, it will display a padlock with a red slash cutting through it in the URL bar.

bad-webpage

As Tanvi Vyas explains in a blog post, Firefox has been displaying alerts about the security issue via the Developer Tools Web Console since Firefox 26, but typical users are unlikely to have seen it there.

web-developer-tools

Since Mozilla and other browser manufacturers have made clear that they are working towards deprecating non-secure HTTP entirely in the long run, it’s clear that the warnings of when a site is found to be insecure are only going to become more and more explicit and prominent.

In other words, sooner or later the regular version of Firefox will warn you about websites like Waitrose and Royal Mail if they ask you to enter your password on an insecure non-HTTPS page.

Indeed, right now you can configure your regular version of Firefox to display a visual warning when you visit a website with an insecure login form:

  1. Open a new window or tab in Firefox.
  2. Type about:config and press enter.
  3. Click past the warning that you will be careful when changing settings.
  4. Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages. If you later wish to disable the option, set the value to false instead.

If you’re a web developer, make sure that you understand the dangers of asking for login credentials on an HTTP page, and fix your site now before your users start complaining about their browser warning them that you are putting them at unnecessary risk.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Malware and PUA Campaigns Abuse Existing Apps, Here’s a Top 10 to Watch Out For Malware and PUA Campaigns Abuse Existing Apps, Here’s a Top 10 to Watch Out For
Silviu STAHIE

May 19, 2022

3 min read
Researchers Find Thousands of Websites that Record Everything You Type Researchers Find Thousands of Websites that Record Everything You Type
Radu CRAHMALIUC

May 16, 2022

2 min read
Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read