Security Warning

[Lee Mac]

FYI, I'm receiving the following warning in FF52.0 when logging in:

 

[SunnyTurtle]

Hi this happens for me also. It is due to not being able to connect to a HTTPS connection like: https://www.cadtutor.net

Without HTTPS it is easy to intercept the login details. For example on a WiFi hotspot. However to get https you need to pay more money.

It is standard practice for website with login requirements to have a HTTPS connection to secure the details of its users. And is my belief that this website should be HTTPS for logged in users.

[RobDraw]

However to get https you need to pay more money.

It is standard practice for website with login requirements to have a HTTPS connection to secure the details of its users. And is my belief that this website should be HTTPS for logged in users.

 

Care to make a donation for this?

[ReMark]

No security warnings here using Google Chrome.

[ROBP]

no security warnings here site works fine with google chrome also

[nukecad]

I just posted about this on another thread:

 

There was a bit of an issue last week when Firefox updated to v52 and started blocking 'insecure' HTTP sites.

 

It's a new 'security' feature in Firefox.

https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

 

However for some reason it was blocking logins, and automatic form filling, on all vBulletin (and Xenforo) based forums (didn't matter if they were HTTP or HTTPS).

 

In Firefox you can fix the form filling behavour by going to- about:config (type it into the address bar) and toggling 'signon.autofillForms.http' from false to true.

 

 

The actual warning notice itself and the blocking seem to be controlled by:

'security.insecure_field_warning.contextual.enabled'

and

'security.insecure_password.ui.enabled'.

 

However if I toggle these to false to get rid of the warnings then logins are blocked altogether.

(I suspect that this is intentional- either warning or blocked altgether).

[welldriller]

Firefox also gives me the same warning when i sign in to the Cad tutor forum.

[SunnyTurtle]

Care to make a donation for this?

I understand this is a donation and ad run website and https is expensive.

And I just realized that it has been a while since I donated. I have fixed that now.

[CADTutor]

Hi All. Just to be clear, this site is no more or less secure than it has always been. What we're seeing here is a change in policy from a browser vendor. Traditionally, HTTPS encryption has been used for e-commerce sites where credit card details are passed over the web and this makes good sense. Mozilla have extended this principle to include all sites that ask for any user input. In my opinion and those of many others, this is overkill and the policy is not shared by other browser vendors. However, I do understand that security on the web should be at the forefront of everyone's mind and I will certainly look into the possibility of providing HTTPS connections here at CADTutor.

[nukecad]

In my opinion and those of many others, this is overkill and the policy is not shared by other browser vendors.

 

I agree that this is overkill.

 

There is a slight justification for it in that usernames and passwords harvested, by a hack, from HTTP sites, might have been re-used by the user on HTTPS sites where they are doing credit card transactions, etc.

 

But that is down to user laziness about using different passwords, not the required level of security needed for a particular website.

 

Certain browser developers seem to think that they have somehow become the 'Internet Police'.

Worse that that, they are now trying to force us to do what they think is right.

 

It's a bit like insisting that your home should have the same level of security that your bank does.

 

PS. Chrome is doing this as well, but not as agressively. (Or should that be clumsily?)

[CADTutor]

There's no doubt that HTTPS is likely to become a new standard for all websites - there are some new technologies on the horizon that require it and it's rumoured that Google give a ranking boost to those sites using it. I've been looking at options for this domain and will have some news shortly.

[rkmcswain]

If we could mark certain posts as solutions, then #6 (nukecad) would be it.