Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

I get this error in firefox   I don't know what it is or how to fix it
vrosas_03Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
No, the security risk is when they are sent to a page using HTTP instead of HTTPS.  If it is your website, you should fix it although there are many many pages with logins that do not use HTTPS.  If it is not your website, then you need to decide whether or not to go there.  Although I login to all kinds of pages, I have never seen that warning.
0
 
GaryCommented:
So you have a login form/inputs on an http page

Solution:
Have your login form on a secure page https

Many websites do it, but remember normal people don't have Firebug running so they never see that message
0
 
GaryCommented:
No, the security risk is when they are sent to a page using HTTP instead of HTTPS
Gonna disagree, the tunnel could have already been intercepted and posting to https is not gonna make a difference at that point.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
the tunnel could have already been intercepted
What does that mean?  If I put up a login form and someone types their password into the form, at that point it has not even left their computer.  If the 'action' page is 'https://...', the first thing that happens when they submit the form is that an encrypted connection is negotiated Before any data is sent.

The most important part about HTTPS is that the connection is encrypted before Any data is sent.  No data is sent in the clear with an HTTPS connection.
0
 
GaryCommented:
Because the target could have already been replaced, the connection may be secure but the connection to where?
If it's loaded on an SSL connection to start with then it cannot be altered.
0
 
Dave BaldwinFixer of ProblemsCommented:
That's one I never thought of.  But I guess if there is enough money involved, someone will try that.
0
 
GaryCommented:
Doesn't need that much money involved, pop into the local cafe with wi-fi, you could probably pick up login details and other stuff and Joe Bloggs would never know.

30 minutes later you could be ordering all kinds of things - worst case scenario I know but...has happened.
0
 
GaryConnect With a Mentor Commented:
http://www.ehacking.net/2013/06/irisking-security-by-not-securing-login.html

p.s.
I have an unsecure login form on one site, but I don't store any personal information. Still bad form on my part.
0
 
Dave BaldwinFixer of ProblemsCommented:
I don't WiFi anywhere.  I have a wireless router though I don't use it for any of my own business.  Last time I checked, there were 52 wireless networks here.
0
All Courses

From novice to tech pro — start learning today.