Unsecure login?

[sky4forums]

Why is the login procedure for this forum unsecure? Firefox just told me that while logging in.

[terrie]

It's a new "feature" of the most current version of Firefox and it means absolutely nothing--it's a money grab on the part of the powers that be in an attempt to charge domain owners for "security" certificates.

Basically, you can ignore it...


Terrie

[Kelvyn]

Current versions of Firefox and Chrome show security warnings when a page contains a form which asks for a password when the submitted data is not protected by encryption (SSL). This will at a later date be expanded to show on all forms requiring submission by the site user whether a password field is present or not. According to Google Chrome (and Firefox) will show a warning on any webpage viewed without a valid SSL certificate being in place.

So why are they doing this? It is because of the enormous issue of identity/data theft and the fact that just about everybody at some stage uses a public wifi service in a pub, coffee bar, libray, store etc. It is relatively easy to intercept data being sent over a wifi network, and thus obtain usernames, passwords etc when sent in plain text. To protect the population from this crime is not easy, and I believe that some government departments initially discussed this with ISPs and other service providers with a view to encrypting such data. Google was quick to jump on this and the first to recommend the introduction of SSL validated encryption for all website traffic. It first started to give higher ranking the those websites that use SSL (to encourage site owners to install certificates) and then followed with the introduction of warnings in browsers, currently the most intrusive is the warning in Firefox.

Traditional SSL certificates have cost money and have a requirement for a fixed IP address, but the increasing availability of low cost and free Domain Validation (DV) SSL certificates which do not require a fixed IP has meant that a SSL solution is available for those low risk websites that don't handle a lot of data. Webshops, government sites etc still require a higher level of security so DV certification would not be suitable, but even there the cost of crtification has dropped over tha last year.

Low cost certificates include a GoDaddy cert at $3.99/year, and free ones are offered by letsencrypt.org sslforfree.com and others. Comodo makes available a free SSL option for use on VPS systems - I use VPS and can run all sites I host under SSL with no additional cost.

This is a rapidly changing situation, but like most things, the public will get used to just ignoring the warning messages. So they will become more intrusive. Recently I have been unable to connect to some sites using Chrome on my phone over a public wifi system, I just see a warning message. 1984???

[terrie]

Kelvyn...

Thanks for the more detailed info--particularly because all I could remember was my reaction rather than the more informative nitty-gritty. I'm glad to hear that less expensive/free options are coming out of the woodwork...


Terrie

[sky4forums]

Your replies do not make it clear if my password is being sent across the net as plain text. If so this seems to me to be a security problem. Even though I use different passwords for different sites I will very inclined to end visiting any site that allows my password to be seen in such a manner.

[Kelvyn]

Passwords are not encrypted unless under SSL. There is encryption in place if using a high security WiFI connection, but once past the wifi router this is unenccypted to become plain text fo onward transmission. Public WiFi services generally have a low level of security or none at all.

[Steve Rindsberg]

It's so nice to have a Kelvyn around the house. Every site needs one.

Yer a gem, you are. Thanks as always.

[sky4forums]

Thanks for the clarification.