Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Why does this site have non-secure logins? Per Firefox anyhow.

  1. #1
    Senior Veteran ptrthgr8's Avatar
    Join Date
    Mar 2007
    Location
    Sovereign State of North Dakota
    Posts
    726
    Rep Power
    268

    Exclamation Why does this site have non-secure logins? Per Firefox anyhow.

    I got the new Firefox update recently (now using 52.0) and when I logged into the site today I received warning notifications from Firefox that this forums login isn't secure and login/password info could be stolen. Please note the warnings popping up when I click in the Username and Password fields:

    FFinsecure.jpg

    When I click on the "Learn More" text, it brings me to the following Firefox page which describes the security issue in greater detail:

    https://support.mozilla.org/t5/Prote...fox/ta-p/27861


    This is a new feature that is available starting in Firefox version 51.

    Firefox will display a grey lock icon with a red strike-through in the address bar, when a login page youíre viewing does not have a secure connection. This is to inform you that if you enter your password it could be stolen by eavesdroppers and attackers.

    Starting in Firefox version 52, you will also see a warning message when you click inside the login box to enter a username or password.

    What can I do if a login page is insecure?

    If a login page for your favorite site is insecure, you can try and see if a secure version of the page exists by typing https:// before the url in the location bar. You can also try to contact the web administrator for the site and ask them to secure their connection.
    Not recommended: You can also continue to log in to the website even if the connection is insecure, but do so at your own risk. If you do go this route, try to use a unique password or a password that you donít also use for other important sites.
    About insecure pages

    Pages that need to transmit private information, such as credit cards, personal information and passwords, need to have a secure connection to help prevent attackers from stealing your information. (Tip: A secure connection will have "HTTPS" in the address bar, along with a green lock icon.)

    Pages that donít transmit any private information can have an unencrypted connection (HTTP). It is not advised to enter private information, such as passwords, on a web page that shows HTTP in the address bar. The information you enter can be stolen over this insecure connection.
    Note for developers

    For developers looking to learn more about this warning, please see this page. The page explains when and why Firefox shows this warning, and will also provide some details on how to fix the issue. For more information, see this blog post and this Site Compatibility document.
    Apparently this has been an identified issue for two versions now (51.0 and 52.0).

    Any info here would be helpful. Thanks!

    ~ Greg ~

  2. #2

    Charlie Don't Surf

    M1 Tanker's Avatar
    Join Date
    Mar 2007
    Location
    Hawaii
    Posts
    6,176
    Rep Power
    426
    Well, nothing on our site changed, so no idea. I guess this would be a question for Vbulletin, but again we haven't changed anything. This is Firefox giving you information you never had before. Good thing we don't do any business transactions on the forum. If we did I would be a lot more concerned.
    In those moments where you're not quite sure if the undead are really dead, dead, don't get all stingy with your bullets.

  3. #3
    Senior Veteran
    The German's Avatar
    Join Date
    Nov 2012
    Location
    Cincinnati, OH
    Posts
    325
    Rep Power
    131
    The server that hosts the domain "militaryfirearm.com" would need to get a so called "SSL certificate" which is something the site owner can buy and have the hosting provider install. After installation, internet traffic will have to be configured to go through the "https://" protocol versus the current "http://" protocol. https automatically encrypts all traffic between the browser (your side) and the webserver, thus making it a little bit more secure so nobody can simply listen to the data going back and forth and read something like passwords in clear text.

    Companies like namecheap.com sell inexpensive SSL certs for <$10/year, in the past these certificates were much, much more expensive and not worth it for a forum site alone. And the more complex ones that for example turn the URL line in your browser green to show it is a trustworthy site, still cost a ron of money.

    I am personally fine with a site like this not using SSL as there is really no critical information on here anyhow, it would be different if a site stored personal infos like credit card data / SSN etc.

    Hope this helps.
    NRA Life member, Instructor and CRSO
    www.primercatcher.com

  4. #4
    Senior Veteran jbruney's Avatar
    Join Date
    Mar 2007
    Location
    South Texas
    Posts
    3,459
    Rep Power
    337
    I've not given much though to anything such as this before because of not handling business and such here, but am good with what we've got currently. Tried to use firefox in the past and didn't care for it.
    Joe
    COG#1453

  5. #5
    Senior Veteran sdk1968's Avatar
    Join Date
    Feb 2008
    Posts
    3,127
    Rep Power
    361
    its just not an SSL site...

    this is no big deal.

    nothing changed here on the site... you just now get a pop up from firefox or chrome about it...

    your passwords are just as secure today as they were yesterday or last week or any other day that you have them saved on your computer.
    say what you mean & mean what you say!
    TEC Tactical=SOT/07 i work there.

  6. #6
    Senior Veteran
    Join Date
    Mar 2007
    Posts
    1,628
    Rep Power
    232
    Wait, we arent supposed to put our credit card details in our signature line?!?!?!?!?
    Last edited by Enigma Nostra; 03-10-2017 at 08:24 AM.

  7. #7
    Senior Veteran ptrthgr8's Avatar
    Join Date
    Mar 2007
    Location
    Sovereign State of North Dakota
    Posts
    726
    Rep Power
    268
    Quote Originally Posted by The German View Post
    The server that hosts the domain "militaryfirearm.com" would need to get a so called "SSL certificate" which is something the site owner can buy and have the hosting provider install. After installation, internet traffic will have to be configured to go through the "https://" protocol versus the current "http://" protocol. https automatically encrypts all traffic between the browser (your side) and the webserver, thus making it a little bit more secure so nobody can simply listen to the data going back and forth and read something like passwords in clear text..
    Yep, that's definitely the issue. I checked it on a few other forums and I get the same behavior from FF now, but I also confirmed that those other sites are also not using a secure connection. It's clearly just something that FF started calling out recently, but I'm also surprised that any site asking for login creds isn't also using an SSL cert since they're pretty inexpensive nowadays (like you mentioned). As long as someone isn't careless and using the same creds on this, or other similar sites, as they use for sites where more important PII is being stored I suppose it's not a huge issue.

  8. #8
    Senior Veteran ptrthgr8's Avatar
    Join Date
    Mar 2007
    Location
    Sovereign State of North Dakota
    Posts
    726
    Rep Power
    268
    Quote Originally Posted by sdk1968 View Post
    your passwords are just as secure today as they were yesterday or last week or any other day that you have them saved on your computer.
    Which is to say they're not secure at all, by definition. On this site, anyhow.

    And if you're clearing out your browser cache regularly (which you should do - I have mine set to clear upon closing and I run CCleaner on a daily schedule, too), nothing's being stored locally anyhow. However, since the site isn't using a secure connection, a hacker or other bad guy could get your login credentials any time you login to the site because it's not a secure connection.

    As others have stated, it's probably no biggie. But I'm sure there is someone out there who uses the exact same login creds for this site that they use for their banking site or what have you. So, there's definitely potential for some bad juju, but I'd say that's 99% on the user (for being dumb enough to use the same creds in multiple places) and only 1% on the site owner (since, really, SSL certs are so cheap nowadays, why not have one?).

  9. #9
    Senior Veteran sdk1968's Avatar
    Join Date
    Feb 2008
    Posts
    3,127
    Rep Power
    361
    Quote Originally Posted by ptrthgr8 View Post
    Which is to say they're not secure at all, by definition. On this site, anyhow.

    And if you're clearing out your browser cache regularly (which you should do - I have mine set to clear upon closing and I run CCleaner on a daily schedule, too), nothing's being stored locally anyhow.

    EXACTLY. & yes i also do this daily.
    say what you mean & mean what you say!
    TEC Tactical=SOT/07 i work there.

  10. #10
    Senior Veteran
    The German's Avatar
    Join Date
    Nov 2012
    Location
    Cincinnati, OH
    Posts
    325
    Rep Power
    131
    First of all - what would the benefit for a bad guy be to figure out passwords here - pretty much none.

    I think it is nice that some browsers point "no ssl connection" out, because on sites dealing with personal information/credit card infos, one should be more concerned about not having SSL. On a forum though, there is close to zero incentive for a bad guy to even try to sniff the traffic and even if they had some passwords, worst thing they could do is post spam or that they liked Obama better, but that is pretty much as bad as it would get. Some cleanup, changing passwords, done.

    So, watch these warnings on other sites handling more critical information closely, but simply ignore them on forums like this.
    NRA Life member, Instructor and CRSO
    www.primercatcher.com

Similar Threads

  1. Harry Reid said the border is secure
    By RicePaddyDaddy in forum Politics
    Replies: 6
    Last Post: 07-18-2014, 05:28 PM
  2. More Issues With Mozilla Firefox
    By mitchstoner in forum General Discussion
    Replies: 13
    Last Post: 08-30-2013, 11:54 PM
  3. Secure the Border,Support Arizona
    By k98k792 in forum Current Events/RKBA
    Replies: 31
    Last Post: 07-08-2010, 10:09 AM
  4. 922(r) Site
    By Noskov in forum Build it Yourself/Gunsmithing
    Replies: 4
    Last Post: 06-03-2010, 12:19 PM
  5. Yet another place to secure your rights!
    By rpmfly2 in forum Current Events/RKBA
    Replies: 1
    Last Post: 05-05-2010, 01:41 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •