The operator of an resources sector news site whose login page does not encrypt logins in transmission has asked Mozilla to remove Firefox’s security warning because it’s worrying subscribers.
The owner a news website called Oil and Gas International appears to have missed recent announcements by Mozilla and Google that their respective browsers, Firefox and Chrome, now display security warnings if a web page that handles login details and financial information has not enabled HTTPS encryption.
To the amusement of some who knew about the HTTP warnings in Chrome and Firefox, the owner appears not have understood the intent of the browser warning, which is to flag to site visitors that their sensitive information is not protected in transmission between the browser the server. The bug report, which has since been locked from public view by Mozilla, was captured by a Twitter user.
“Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately,” the site’s owner wrote to Mozilla.
The remainder of the complaint also suggests that Google’s and Mozilla’s decision to warn users about unencrypted login and financial data pages is having its intended effect of prompting users to pressure site operators into encrypting pages that handle sensitive information. Though that message appears to have been lost on the website owner.
“We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.”
It’s not clear whether the site owner has also complained to Google, but the report to Mozilla could be due the way Firefox displays warnings. Chrome only displays “Not Secure” in the address bar, while Firefox displays a padlock with a red cross in the address bar, plus a pop up warning beneath the password field when the user attempts to type in their password if it the page is unencrypted HTTP. It's likely Firefox's warnings are more noticeable as it occurs as the user types in their password.
The message Firefox would see beneath the password field is: “This connection is not secure. Logins entered here could be compromised.” The dialogue includes a link to learn more about the warning, which recommends users “contact the web administrator for the site and ask them to secure their connection”.
The Firefox warnings appear on the site’s subscriber login page and the subscriber sign up page, which also handles credit card information fields.
The browser warning also conflicts with the site's own message that “All credit card information is encrypted using our Secure Transaction Server”. However, this likely refers to passwords that are encrypted at rest on its server.
Mozilla has ruled the report a non-security issue however did explain on its bug report's page that HTTP sites transmit passwords in the clear and that anyone listening in on the network would be able to capture the passwords. It also highlighted the additional risk to users who may have used the same password for multiple sites.
The site owner may come to regret filing the bug report with Mozilla. As news of the HTTP bug report spread, some readers on Reddit speculated that the site would soon be hacked. Others claimed to have tested the site for vulnerabilities and reported finding that it did contain an SQL injection vulnerability, which could be used to leak some details about the site’s database.
CSO Australia emailed the site operator for a response and will update the story it receives an answer.