Tag Archives: Firefox Browser Console

New: Firefox warns of login forms on non-HTTPS pages

18 February 2016

Firefox has displayed security alerts in Browser Console since Firefox Version 26 when an URL with a password field was opened across an http link:

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

This is a clear sign that your service provider does not care of security. Since the continuous back and forth between browser application and the console is really annoying, this function was rarely used.

With the latest Version 44 Firefox displays a notification in the URL bar if you open a URL with a password field across an unsecured HTTP connection.

For configuration:

  • Open URL about:config in Firefox
  • Approve the warning that you will be careful when changing settings.
  • Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages

With this Firefox displays a pad lock with a red slash if Firefox opens a page with password field across an insecured connection:

FireFox warns of password field on insecure page

Firefox warns of password field on insecure page

Take care, and enjoy the new security feature.

Firefox Browser Console provides valuable hints on Phishing Sites

11 July 2015

When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.

Secure Connection Indicators

Secure Connection Indicators

The missing https protocol and certificate information in phishing URLs like http://videoservicesmiami.com/bolu/HOTMAILFILES/HOTMAILFILES/login.srf.htm is a clear indicator that someone tries to trick you.

Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:

Password fields present on an insecure (http://) page are a security risk.

When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:

Firefox Browser Console Security Warning

Firefox Browser Console Security Warning. Click to enlarge.

I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.

Take care!