18 February 2016
Firefox has displayed security alerts in Browser Console since Firefox Version 26 when an URL with a password field was opened across an http link:
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.
This is a clear sign that your service provider does not care of security. Since the continuous back and forth between browser application and the console is really annoying, this function was rarely used.
With the latest Version 44 Firefox displays a notification in the URL bar if you open a URL with a password field across an unsecured HTTP connection.
- Open URL about:config in Firefox
- Approve the warning that you will be careful when changing settings.
- Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages
With this Firefox displays a pad lock with a red slash if Firefox opens a page with password field across an insecured connection:
Firefox warns of password field on insecure page
Take care, and enjoy the new security feature.
11 July 2015
When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.
Secure Connection Indicators
The missing https protocol and certificate information in phishing URLs like http://videoservicesmiami.com/bolu/HOTMAILFILES/HOTMAILFILES/login.srf.htm is a clear indicator that someone tries to trick you.
Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:
Password fields present on an insecure (http://) page are a security risk.
When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:
Firefox Browser Console Security Warning. Click to enlarge.
I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.