The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can't confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this post was being updated.
As a member of the Mozilla developer team pointed out in reply to the complaint, both Firefox and Chrome routinely issue warnings whenever users encounter a login page that's not protected by HTTPS encryption. The warnings became standard earlier this year.
The site in question appears to be completely offline at this time.
Source: ArsTechnica
(Score: 2) by Pino P on Wednesday March 22 2017, @03:20PM (4 children)
If it's internal then you can just install your self-signed cert anyways.
As far as I can tell, that has stopped working as of Android 7. From "Add & remove certificates" [google.com]:
And it turns out that the developers of Google Chrome have not "cho[sen] to let [it] work with manually added CA certificates." From "User certificate no usable on Android Nougat" [strongswan.org]:
There are two additional complications if you want to support friends and family who are bringing their own devices, such as to stream videos from your NAS. First, you end up having to walk said friends and family through installing your internal CA's root certificate on each device. Second, installing your internal CA's root certificate on an Android device that still usefully supports user CAs, namely one running Android 6 or earlier, causes the device to start requiring a PIN or pattern to unlock it. From "Add & remove certificates" [google.com]:
Is it reasonable to require a visiting friend or family member to go through these steps?
(Score: 2) by tibman on Wednesday March 22 2017, @05:03PM
I'm assuming they already ask you for your wifi password. Showing them how to get that annoying insecure message to go away when they visit your private (local) website surely isn't that big of a deal. On most browsers it's like three clicks.
You also only pointed out one particular OS (a phone OS). An OS that doesn't even let users have full control of itself. Even windows gives you more control over your security.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by tibman on Wednesday March 22 2017, @05:05PM (1 child)
Wish i could edit. Streaming videos from your NAS over https? I'm doubting that, no offense.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Pino P on Wednesday March 22 2017, @06:29PM
Streaming videos from a NAS will start requiring HTTPS once browsers start restricting the Fullscreen API to secure contexts [w3.org] in order to deter phishing attacks that spoof the entire window manager [feross.org].
(Score: 1) by Arik on Friday March 24 2017, @12:14AM
If Android was truly a Free OS you could simply comment a couple lines and recompile to fix such brain damage, but I bet you can't do that.
"Is it reasonable to require a visiting friend or family member to go through these steps? "
It's not reasonable at all, it sounds to me like a system cleverly designed to give the appearance of offering security, while ensuring that it's such a PITA to actually use that no one will use it. Even the geeks that can figure it out won't use it, for interoperability and support issues.
If laughter is the best medicine, who are the best doctors?