Firefox and Chrome Now Warning About Insecure Login Pages
Warning about Insecure Login Pages is just the start…
This week, Google Chrome 56 and Mozilla Firefox 51 were both released. These updates bring a new warning about insecure login pages, which appear prominently in the address bar.
This is part of the industry-wide campaign to move away from HTTP, which is insecure, and leaves users’ online activity vulnerable to snooping, interception, modification, and much more.
Chrome 56 will show this warning for any password/credit card field loaded over HTTP.
This includes forms that post to HTTPS if the page itself is HTTP. Both the page itself, as well as the fields, need to be delivered over HTTPS to be properly secure and receive the “Secure” message and green padlock treatment. To help spread the word, Google has been sending messages via Search Console to warn admins if any unsecure fields are found on their websites.
In Firefox 51 the warning will be more subtle. The page will receive a “broken padlock” icon, which shows the padlock with a red strike through it. If you click the padlock, a message will tell users that their login information is at risk.
In Firefox 51 there will not be any warning for credit card fields, though Mozilla developers have previously said this feature is coming. Unfortunately, the ability to actively detect those fields has caused it to be delayed.
Chrome 56 for Android will also warn about password/credit card fields served over HTTP, however to accommodate for the smaller UI, only the “(i)” symbol will be shown in the address bar. Clicking the (i) will display additional text. The same behavior will also come to a future version of iOS, though when the update will be made has yet to be determined.
In-form warnings are coming to future versions for both browsers. These are warnings which will appear directly below the fields on the page. This will bring further attention to insecure fields and make it easier for users to see the warnings. Both mobile platforms will also get in-form warnings in future releases.
For any sites out there still using HTTP, make sure a migration to HTTPS is in your immediate plans. The encrypted web is coming, and the warnings are only going to get more severe. In fact, a Google engineer recently wrote “eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.”
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown