ArsTechnica: Firefox gets complaint for labeling unencrypted login page insecure.
The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.
"Your notice of insecure password and/or log-in automatically
appearing on the log-in for my website, Oil and Gas International, is
not wanted and was put there without our permission," a person with the
user name dgeorge wrote here
(the link was made private shortly after this post went live). "Please
remove it immediately. We have our own security system, and it has never
been breached in more than 15 years. Your notice is causing concern by
our subscribers and is detrimental to our business."
I emphasized a portion of the above quote.
Unfortunately, making a statement that a web site has never been breached in 15+ years is similar to painting a bulls-eye on it.
user, redditpentester, called the person who filed the bug report:
[–]redditpentester 150 points 12 hours ago* So. Believe it or not, his number is on the website. I just called him. He was quick to answer too.
Twice, actually. Pretty surreal the first time (cannot believe the
confidence some people have). All of this is from a VOIP number that
shows up as "Private" so he won't be calling back or anything (for
better or worse, it would probably be funny/cool). I'll type out my
transcript and reply to first comment to get visibility:
"Hey, I'm looking for a user by the name of dgeorge?"
Him: "I'm dev George."
"When the entire internet browser ecosystem warns you that your website is insecure, why didn't you listen?"
Him: "The website isn't insecure, it's very secure."
"It's not. An entire professional community is talking right now about how it's not secure."
Him: "No it's not, the website is fine."
"I'm trying to share facts with you right now."
"Try to log into your website. I'll wait."
Him: "Who is this?"
"That really can't be your first priority right now, please. I'm
trying to help you. Not everyone out there is. Log into your own
website, it'll take just a moment and you'll see. It's all you have to
do to catch up and sooner deal with being sued, being yelled at by any
customers you might have, etc. Be an adult, you have to save your own
a__ right now."
Him: pauses "Okay..." groans
Him: "It says server error."
"Yeah and it's probably going to get worse than that. Here's the
deal. I woke up today and the places I read from and the people I talk
to were all discussing your website and that it's completely broken and
what has happened is people found your mozilla bug report; your database
table with your users and passwords has been destroyed. I can't explain
too much of how or why because this is something people go to school to
learn about but essentially, and I say this as a professional, your
website is anything but secure. You're in a good spot all things
considered because this way, the info for these accounts cannot be
shared any longer. You're lucky to have your entire database destroyed.
The rumor is, and I haven't verified this part, that you have credit
information that is easy to retrieve as well?"
Him: "No, that's not true, we have all of it sent to a secure
separate location." (Probably thinking of his payment processor/third
"Okay, so that is good news but I will add, not sure if you're
familiar with what SSL is but it says on your website that you use it.
You do not. It would be very easy for someone, even with limited
experience, to intercept a transaction and the card information if you
were ever unlucky enough for someone to have noticed your site's
vulnerabilities before today."
"Okay so don't worry about me, or who I am. Just search your own
information and username on Google, I wish I could link you but
obviously we're over the phone. Search your own information and you will
see the articles talking about your site. Alternatively, type a single
quotation into your login field and you will see it's broken. I can't do
much because like you, I have a job and a life to deal with but best of
luck and hope it goes smoothly from here on out."
Him: "Thanks, okay."
I censored the above quote.
Further down in the Reddit post is a screen capture showing that credit card information (subscription to the site is $400/year) was also submitted without encryption.