Open
Bug 1463506
Opened 6 years ago
Updated 2 years ago
Insecure login form warning appears on intranet sites
Categories
(Toolkit :: Password Manager, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: dieter.ferdinand, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux i686; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180323154952 Steps to reproduce: open site in my intranet Actual results: a always on foreground message that this is insecure is displayed Expected results: hello, every time i start firefox on my pc and a login-site from my router is displayed, i get this message. this is ok for internet-sites, but all sites in my intranet are safe because i am the only person, who have access to that network and if i access from internet, i use always a crypted vpn!!! i can disable this message global for all, but i want only disable ist for the intranet, also all privat ip-adresses: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 or for domains which ends on .lo or .local. i can switch some devices to https, but only with self signed certificates and i won't use a internet-domain and a buyed wildcard-certificate to disable suche messages!!! for devices, which don't have https-support, i can use apache as https-proxy, but with the same problem, because i can't get an official certificate to a .lo or .local domain!!! security is important, but a message, which is displayed in the foreground even the browser is in background is crazy!!! it should be possible, to tell firefox, which networks are safe, even the connection is net secured with https!!! goodby
|
||
Updated•6 years ago
|
Group: mozilla-employee-confidential
|
||
Comment 1•6 years ago
|
||
Initially triaging this issue to Password Manager component.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
|
||
Comment 2•6 years ago
|
||
This should have been fixed by bug 1337246 but if the page in question uses a subframe then this is bug 1364080. Are the affected pages using <iframe> or <frame>?
Flags: needinfo?(dieter.ferdinand)
|
Reporter | |
Comment 3•6 years ago
|
||
hello, it is the login-screen of a newer fritzbox which is build with javascript. goodby
Flags: needinfo?(dieter.ferdinand)
|
|
||
Comment 4•6 years ago
|
||
(In reply to Dieter Ferdinand from comment #3) > it is the login-screen of a newer fritzbox which is build with javascript. Hi Dieter, unfortunately that doesn't help me answer whether frames are used as I don't have access to one of these devices. Can you do File -> Save Page As => (Web Page, HTML only) for the affected page and upload it on this bug (if it doesn't have any confidential information on it), otherwise you can email it directly to me. Thanks
Flags: needinfo?(dieter.ferdinand)
|
|
Reporter | |
Comment 5•6 years ago
|
||
hello, here the startfile from the box. but it is only javascript. i can put a fritzbox in my network and can give you access to that box to test it. goodby
Flags: needinfo?(dieter.ferdinand)
|
|
Reporter | |
Comment 6•6 years ago
|
||
hello, this is the login-site from my cable-router with the same problem. if the cursor is in the username or password-field, this insecure-message is displayed. this is a normal html-site without any frames. goodby
|
|
||
Comment 7•6 years ago
|
||
okay, so now that I re-read your comment 0, I see that you're talking about seeing the warning when you use host names that *resolve to* local IP addresses, not using local IP addresses directly in the address bar. I think your best solution for now is bug 1345629 or using the IP addresses instead of the host names. You can also use self-signed certificates and permanently trust them in the browser. That's a totally legitimate use for self-signed certificates. We could implement this but there are security concerns and it's technically non-trivial. (Un-hiding since no domain name was mentioened)
Blocks: 1304224
Group: mozilla-employee-confidential
Priority: -- → P3
Summary: password insecure on this site message → Insecure login form warning appears on intranet sites
|
|
Reporter | |
Comment 8•6 years ago
|
||
hello, if i use ip-addresses, i have the same problems. it is impossible to use a self signed certificate on a device which don't support ssl-encryption. i see only one way, to eliminate this message and this makes much work: - setup my local dns as copy from my internet-domain with all local devices and an ip which point to my local webserver - configure my apache-webserver to be a transparent proxy for all local devices with http or https - to get a letscrypt certificate i must insert the same names with my internet-ip - get a certificate for every device or a wildcard for the domain but this don't work with all devices because some devices change the http-adresse on every access to there own dns-name. as sample speedport route can only accessed with speedport.ip. all other addresses will be forwarded to this address. goodby
|
|
Reporter | |
Comment 9•6 years ago
|
||
hello, if you can't change this, please don't display this message as a window which is always in foreground! i hate it, if i am in an other program like a mailprogramm and see this message from firefox, which is in background! goodby
|
|
||
Comment 10•6 years ago
|
||
(In reply to Dieter Ferdinand from comment #9) > if you can't change this, please don't display this message as a window > which is always in foreground! That sounds like a variation of bug 1262211. In the future that should have been filed as a separate bug rather than piling on here with an orthogonal issue.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•