MozillaZine

My site is "not secure"

User Help for Mozilla Firefox
jhaber3
 
Posts: 254
Joined: January 16th, 2005, 9:04 am

Post Posted March 20th, 2017, 6:00 am

When I go to my home page, a WordPress blog, no warnings. However, when I to to the admin page and try to log in, I get the little pop-up of the lock with a red slash telling me that it's not secure. I have had, of course, to proceed anyway to update things, but what should I do to make this secure? I realize I have imperfect control of WordPress and its interface, but I should do something. My site is http://www.haberarts.com/, and I assume I shouldn't tell you the admin URL.

I tried, fwiw, to open the same page but with https, not that I could have told you that such an address exists. There I got a whole Firefox page telling me I could not continue because the site is insecure. Incidentally, I also get the smaller pop-up warning when I log into mozillaZine! I should say that my passwords have a mix of lc letters, up letters, numbers, and punctuation, so I'm satisfied on that account. Thank you.

makaiguy

User avatar
 
Posts: 16469
Joined: November 18th, 2002, 6:44 pm
Location: Somewhere in SE USA

Post Posted March 20th, 2017, 7:16 am

Starting with Ver 52, FFox pops up a warning when attempting to log into sites not accessed via a secure connection (i.e. those using non-secured http protocol instead of secured https protocol). The warning correctly points out that your login name and password are being transmitted in the clear where they can be captured by any server along the way.

This does not mean that the site you are trying to log in to has suddenly become insecure. This situation has always been there, but the folks at Mozilla just decided they'd warn you about it.

To avoid the warning:
  1. If the site supports a secure https connection, use that instead of http. Your transmission will be encrypted and only readable by your destination site.
  2. If you just don't want FFox to warn you of these insecure connections, do this:
    • Enter about:config in the Address/URL bar.
    • Press the button to agree to be careful (if you haven't done this previously).
    • Enter insecure in the Filter bar to limit display to just options containing 'insecure'.
    • Double-click on each of the following two options to toggle them between true and false. Set them to false:
      security.insecure_field_warning.contextual.enabled
      security.insecure_password.ui.enabled
    • Enter autofill in the Search bar.
    • Double-click on signon.autofillForms.http and toggle it to true.
    NOTE: if any of the above options are not found, you can create them manually. Right-click (control-click on Apple) an empty space in the option list. Click New | Boolean. Enter the option name and appropriate true/false value.
Doug Wilson, "The Makai Guy"
Win10 (64bit): FF 52.4.0 ESR (64bit), TB 52.3.0 (32bit)║ Android 7.0/6.0.2: FF 56.0, No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers

Reflective

User avatar
 
Posts: 2135
Joined: February 15th, 2007, 11:13 am

Post Posted March 20th, 2017, 7:48 am

See this WordPress support site for instructions on how to enable SSL for your own site: https://support.managed.com/kb/a261/how ... -site.aspx

jhaber3
 
Posts: 254
Joined: January 16th, 2005, 9:04 am

Post Posted March 20th, 2017, 8:53 am

Thanks to you both. Makai, I changed those three options, and as you say the warning has vanished. Reflective, I appreciate the link. Changing to https seemed above my head, and it still looks imposing, but this could help.

jhaber3
 
Posts: 254
Joined: January 16th, 2005, 9:04 am

Post Posted March 21st, 2017, 7:51 am

May I also ask your opinion about transitioning to https? If I understand correctly, it's designed not so much to protect the site as to protect the privacy of users. (I don't quite understand how, after reading a few online articles, but that's neither here nor there.) In other words, it would be to protect my identity from my admin page, or from me! It's of obvious advantage to a commerce site that asks for payments, but that's different. And of course it would cost me a small sum each year for the certificate. So is it really worth it?

James
Moderator

User avatar
 
Posts: 27009
Joined: June 18th, 2003, 3:07 pm
Location: Made in Canada

Post Posted March 21st, 2017, 12:13 pm

jhaber3 wrote:And of course it would cost me a small sum each year for the certificate.

May not cost you anything https://letsencrypt.org/

MarkRH

User avatar
 
Posts: 1153
Joined: September 12th, 2007, 2:30 am
Location: Oklahoma City, OK

Post Posted March 21st, 2017, 12:47 pm

It would basically double my webhosting costs, just for a single domain. I would have to pay for both a private IP address (on shared hosting) and the certificate. My blog has been this way for 10 years. Until WordPress itself or something requires SSL I'll just let it be. I do other things like banning all other IP addresses except mine from being able to log into my site. There is no reason for someone else to log into my blog or galleries.

Return to Firefox Support


Who is online

Users browsing this forum: Bing [Bot] and 4 guests