Mozilla to phase out non-secure HTTP

Similar Messages

• My Firefox browser will only open websites starting with "https". What is preventing my browser to open a non-secure (http) website ? Please help!!

  I have checked my Firewall settings and added Mozilla Firefox to the list of programs accepted. I have also uninstalled Firefox & reinstalled it twice. I have turned off my antivirus & I still can't open a non-secure browser.

  Thank you, thank you, thank you FredMcD!! It was my AVAST anti-virus software. I had the "Web Shield" turned on, so all I did was turn it OFF, so now I can browse on the Internet on any website. When you first install Avast anti-virus, the Web Shield by default is turned on. This really should be turned off as not to freak out new users, especially by those that are not computer savvy. I cannot thank you enough! Take care. :-D

• Moving from secure https page to non secure page on same site

  Secure https page navigation to a non secure http page still has you in a secure url when navigating within the same site, when user clicks to leave the secure page to go to a non secure page the address bar still has them in a secure https url. Is there a way to code the nav to not allow this to occur? Tried adding a full url to the non secure pages and that worked but then my active states of the nav stops working. Any ideas or scripts that may help here? Thanks!

  There's a script for that! Here's a link to it...
  http://kb.worldsecuresystems.com/598/bc_598.html#main_Returning_a_customer_to_a_default_UR L_after_viewing_the_receipt_page
  @webmosphere
  www.webmosphere.co.uk

• Use Secure HTTPS throughout this Forum and the Meteor Website

  This is not a "Bright Idea", this is a security flaw with the setup of this forum. When registering to use this forum you are asked for these personal sensitive pieces of information: - Password- Email Address- Mobile Number- CUSTOMER SERVICE PIN!- Age Confirmation This forum does not use secure HTTPS TLS anywhere, so when you register with this form, and when you login you are sending this information is clear plain text over the Web. This is extremely insecure especially considering (A) It's a known fact most typical users will use the same account password on multiple sites, so one should assume a user registering for this forum will use the same password that they use for the main MyMeteor account. (B) The Customer Service PIN is one of the pieces of information used when interacting with Meteor either by phone, chat, email, forum or post as a way to verify a persons credentials and valid identity.  So given (A) & (B) if a users password and/or PIN are intercepted on an insecure internet connection, the person gaining access to these credentials could use it to impersonate the customer when communicating with Meteor. The implications are obvious. When an attacker wants to gain access to customer details they will look for the weekest access link. This forum is one of the weekest access links and if comporimised or if user details are intercepted it gives the attacker all the information they need. This forum may be powered by the Lithium service, but it is Meteor's Technical team's responsibilty to setup and secure this forum adequetly. At the moment they have not done this. They are leaving customers at risk of identity theft and are failing in their obligations under Data Protection laws. This needs to be addressed immediatly. On a wider issue it is now considered good practice for public serving websites to use TLS throughout their website and not just for registration and login pages. Contrary to misconception using TLS throughout your site will not greatly reduce the speed or performance of the site if the sys admins have used correct modern server configurations, optimisations and TLS implementation. The major browsers are now blocking out non-secure elements on secure web pages and even Google is going to start using TLS as a signal for traffic ranking. So websites using TLS throughout their site will potentially get better search rankings on Google than those without. I would ask the Meteor Sys admins to at the very least seurce this forum with TLS and then role out TLS across their entire meteor.ie web properties and follow best practise. 

  I have found that there is an SSL certificate installed on the server to cover the forums.meteor.ie domain, however it is not being enforced. Whilst not a perfect solution, for those using the EFF HTTPS Everywhere browser extension, I have written a ruleset that will force the browser to load https://forums.meteor.ie. I have submitted this ruleset to the EFF but you can also add the ruleset yourself with this following these directions, using this code: <ruleset name="Meteor.ie Community Forum">
  <target host="forums.meteor.ie"/>
  <rule from="^http://(www\.)?forums\.meteor\.ie/" to="https://forums.meteor.ie/"/>
  </ruleset> Still waiting on an official response from Meteor.

• Disable Security  Alert while redirecting for secure to non secure mode.

  Hi Experts,
  I am new to the portal and came accross a very different kind of requirement for which i need you advice.
  On pressing the Logout button on the portal, the navigation/control is redirecting to the non secure Http website. My portal is on Https site. Now the issue is upon logging out I am getting the security Alert " You are about to direct to a connection that is non secure. Do you want to continue? "
  Now I have a requirement to suppress or remove this pop up. I do understand that this is the IE functionality to show the pop message and I have already uncheck the check box under Internet Options -> Advanced -> miscellaneous -> Warn if changiung between Secure to non secure.
  Please suggest !
  Thanks
  Shobhit Taggar

  Shobhit,
  Which version of IE?
  Regards,
  Sandeep Tudumu

• Disable security Alert while redirecting from secure to non secure mode

  Hi Experts,
  I am new to the portal and came accross a very different kind of requirement for which i need you advice.
  On pressing the Logout button on the portal, the navigation/control is redirecting to the non secure Http website. My portal is on Https site. Now the issue is upon logging out I am getting the security Alert " You are about to direct to a connection that is non secure. Do you want to continue? "
  Now I have a requirement to suppress or remove this pop up. I do understand that this is the IE functionality to show the pop message and I have already uncheck the check box under Internet Options -> Advanced -> miscellaneous -> Warn if changiung between Secure to non secure.
  Please suggest !
  Thanks
  Shobhit Taggar

  Shobhit,
  Which version of IE?
  Regards,
  Sandeep Tudumu

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• SSL problems with "non-secure elements"

  hello all
  We have made a WEB application based on Tomcat and Apache Struts. We have setup with SSL.
  SSL goes to Apache HTTP server, which speaks with Tomcat via apj13.
  The problem is that IE sometimes shows error message "This page contains both secure and non-secure elements. Do you want to
  display non-sescure elements ?". I think it has to something with javascript, because after that error massage
  javascript doesnt work anymore. If I click javascript error icon, it says "access is denied".
  That erorr happens randomly, I cant repeat it at the same place.
  Can anyone help me somehow ?
  At what circumstances IE displays that error ? We use version 6.0
  Maris Orbidans

  It turned out to be a Micro$oft bug
  http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b269682
  It seems that IE 6.0 has the same bug as 5.5.
  SYMPTOMS
  When you are using Secure Sockets Layer (SSL) and you click a link, you may receive the following warning message:
  This page contains both secure and non secure items. Do you want to display the non secure items?

• Non-Secure Repositories

  I started out with a standard non-secure repository. Later, I
  received a request to
  secure the repository. Thus, I used an rpcopy with the
  "-secure" flag. It worked
  successfully and prompt me for the various passwords, which I
  set.
  About a day or two later, I was requested to remove the security
  from the repository,
  because it was an annoyance. I used the rpcopy command with the
  "-nonsecure" flag.
  As stated in the Forte System Management Guide on page 184:
  "The new copy of the repository has no administrator
  password.
  Other passwords that have been set in the original
  repository
  are set with the same values in the copy."
  My question: How do I get rid of the other passwords (master,
  baseline and workspace)
  from the nonsecure repository? Is the only way of accomplishing
  this is by running a
  recreate, then importing the plans?
  Thank you,
  Vickie
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  You can set workspace and baseline passwords from the workshops.
  You can set any password from fscript using the SetPassword command.
  In a non-secure repository, you can remove any password by setting it
  to nothing (an empty field in the workshops or the string " in fscript.)
  Mike
  From [email protected] Tue Jul 14 08:07:23 1998
  X-UIDL: 900429003.000
  From: "Troy-Mckoy, Vickie" <[email protected]>
  To: "'[email protected]'" <[email protected]>
  Subject: Non-Secure Repositories
  Date: Tue, 14 Jul 1998 11:05:09 -0400
  Importance: high
  X-Priority: 1
  Mime-Version: 1.0
  X-Mailer: Internet Mail Service (5.5.1960.3)
  Content-Type: text/plain
  Sender: [email protected]
  Precedence: bulk
  Reply-To: "Troy-Mckoy, Vickie" <[email protected]>
  I started out with a standard non-secure repository. Later, I
  received a request to
  secure the repository. Thus, I used an rpcopy with the
  "-secure" flag. It worked
  successfully and prompt me for the various passwords, which I
  set.
  About a day or two later, I was requested to remove the security
  from the repository,
  because it was an annoyance. I used the rpcopy command with the
  "-nonsecure" flag.
  As stated in the Forte System Management Guide on page 184:
  "The new copy of the repository has no administrator
  password.
  Other passwords that have been set in the original
  repository
  are set with the same values in the copy."
  My question: How do I get rid of the other passwords (master,
  baseline and workspace)
  from the nonsecure repository? Is the only way of accomplishing
  this is by running a
  recreate, then importing the plans?
  Thank you,
  Vickie
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:<a href=
  "http://pinehurst.sageit.com/listarchive/">http://pinehurst.sageit.com/listarchive/</a>>
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:<a href=
  "http://pinehurst.sageit.com/listarchive/">http://pinehurst.sageit.com/listarchive/</a>>

• Aperture Phase Out, Lightroom Migration?

  Since Apple is reportedly going to phase out Aperture (Per TechCrunch "“With the introduction of the new Photos app and iCloud Photo Library, enabling you to safely store all of your photos in iCloud and access them from anywhere, there will be no new development of Aperture,” an Apple spokesperson told TechCrunch")" does anyone know a good way to migrate Aperture's libraries to Lightroom?
  TechCrunch: http://techcrunch.com/2014/06/27/apple-to-cease-development-of-aperture-and-tran sition-users-to-photos-for-os-x/
  Adobe: http://blogs.adobe.com/photoshopdotcom/2014/06/apple-aperture-news.html
  As best I can find, one can migrate Aperture files to Lightroom, preserving some keywords and EXIF, but losing all edits. For a library of thousands of photos, that would mean throwing away months and months of work that could never be duplicated.
  Of course, the files can simply be exported as JPEGS, but then the advantages of non-destructive editing are lost. I don't know a way to export to the DNG format, nor export RAW files with edits.
  Please tell me I am wrong and my Aperture library won't be frozen in time and I'll have to start over archiving every photo.
  Thanks /  jim

  No reason not to hedge bets and make a move now. Even if the speculation that Photo can recreate your Aperture edits is true, you might not like the WAY it does it. Or other features. Or maybe you've got a new camera and Apple is behind on RAW (like mine). Or maybe you just don't wanna have all your photo edits in one basket.
  I doubt anyone is gonna come up with an acceptable tool to import edits. We would have seen that already. But how often are you going back to those edits in Aperture? as opposed to re-editing? Even with some of my old photoshopped stuff and whatnot, and even though I have the tools to do so, some of the newer editing software is so good it's better to start over from the original anyway. And as noted, Aperture will be around for that. My copy is, even though I abandoned it quite a while ago. It's just an old tool you keep around.
  So one strategy is that only new imports go into LR (although there are other choices). If you need a bunch of older stuff, you transition that. Otherwise you leave things be. In that situation, if I needed edits and/or embedded metadata, I'd export TIFFs into the finder folder where the masters were, writing metadata to xmp and/or jpgs as appropriate, and import into LR. Note that Aperture is still referenced those and can still find them. So you can either work forward from the TIFF, or redo the edits on the original.
  What would be super useful IMHO would be a tool to export the metadata into jpgs and into XMPs for RAWs WITHOUT having to export. You wouldn't get edits, but location info, keywording, captioning, etc would be very very nice to have.
  And that brings me to structure. The LR analogue to projects/albums/folders are collections and collection sets. How to replicate that for an existing group of folders, since it doesn't import? (Because LR just mirrors your filesystem folders, it's "import" (almost more like "show") function has no "import folders as projects" kind of deal.) For this  I used keywords, since they can be hierarchical, and can be written into the files.
  So you when you export a project/album like "2014 Wedding Project/Ceremony Album" you keyword all the photos with that (in LR 2014 wedding project>ceremony album). That way you can find that structure in that form even if it was stored in a finder folder called ~/Pictures/Family Photos. And in LR it's easy to turn a filtered selection into a collection, or use a smart collection. This way you can preserve some of the structure you're used to seeing in Aperture in the LR collection set/collection tab. And if later synchronize another edit or metadata (a very handy tool for use on folders within LR), it can bring up updated metadata and import new files. And if they have the same keywords, you could use a smart collection based on those keywords to replicate "2014 Wedding Project" or whatever.

• I want to add "auto-fill" - which is a secure one? If they are in the FF web site, are they checked out for security?

  I used to have Google auto-fill, but that is gone since updating FF. If a add-on (like auto-fill item) is on the add-on site, is it safe? Has it been checked out for security?

  Which ''spyware software'' software did you run?
  Make sure that you allow pages to choose their colors and that you haven't enabled High Contrast in the Windows Accessibility settings.
  *http://kb.mozillazine.org/Website_colors_are_wrong
  *http://kb.mozillazine.org/Websites_look_wrong
  *Check the permissions for the domain in the current tab in "Tools > Page Info > Permissions"
  *Check that images are enabled: Tools > Options > Content: [X] Load images automatically
  *Check the exceptions in "Tools > Options > Content: Load Images > Exceptions"
  *Check the "Tools > Page Info > Media" tab for blocked images (scroll through all the images with the cursor Down key).
  If an image in the list is grayed and there is a check-mark in the box "<i>Block Images from...</i>" then remove that mark to unblock the images from that domain.
  There are also extensions (Tools > Add-ons > Extensions) and security software (firewall, anti-virus) that can block images.
  *https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes
  *http://kb.mozillazine.org/Images_or_animations_do_not_load

• Non-secure DDNS security risk?

  We are running a 2008R2 domain. Our DCs are also DHCP/DNS(ADI) servers. The DCs are also member of the DNSUpdateProxy group. We do not have an account being used for passing Dynamic Update credentials.  I read something from Ace Fekay that said
  this is not recommended for DCs, with DNS/DHCP to be in the DNSUpdateProxyGroup, but the DCs are obviously not using DHCP and the security on their records looks fine. 
  We are set to allow both non-secure and secure updates because we have some access points and some HP ILOs(Integrated Lights-Out clients) that are not on the domain and using dhcp. I know that allowing non-secure updates is a huge risk, but
  trying to get details about the risk. We are also set to "Always dynamically update DNS records" & "Dynamically Update DNS records for clients that do not request updates." Almost all of our servers(the main risks we
  care about) are not using DHCP, except for the ILOs.  We are not using NAP.  Here are the questions.
  1.  DNS Spoofing with Windows computer - If someone brings in a windows computer with the same computername as one of our critical servers(obviously it will be off the domain) can it grab an IP address and update the record of the critical server? - I was
  thinking it would detect the naming conflict.
  2. DNS spoofing with Linux computer -  If someone brings in a Linux computer with the same computername as a critical server, can it grab the IP address for a critical server that has a static address?
  I am trying to find some real world scenarios to get approval to switch to "secure-only" updates  The biggest risk from doing that is that we have trouble finding all the DDNS records. Then some expire and we lose connectivity to those resources
  until we get it fixed.  If anyone can throw some realistic disaster scenarios at me, I would appreciate it.
  Thanks,
  Dan Heim

  Hi,
  If you have installed the DHCP service on a domain controller, be absolutely certain not to make that server a member of the DNS Update Proxy group. Doing so would
  give any user or computer full control of the DNS records corresponding to the domain controllers, unless you manually modified the corresponding ACL. Moreover, if a DHCP server that is running on a domain controller is configured to perform dynamic updates
  on behalf of its clients, that DHCP server is able to take ownership of any record, even in the zones that are configured to allow only secure dynamic update. This is because a DHCP server runs under the computer account, so if it is installed on a domain
  controller it has full control over DNS objects stored in the Active Directory.
  For non-windows computers, you can enable name protection.
  For more information please refer to:
  Secure Dynamic Update
  http://technet.microsoft.com/en-us/library/cc961412.aspx
  Configuring Name Protection
  http://technet.microsoft.com/en-us/library/dd759188.aspx
  Hope this helps.

• Dsee 6.3.1 - disable non-secure port

  I disabled access to the non-secure port on my ldapserver as I only want clients to talk to my server using ssl (tls:simple)
  root@ldapserver#/> dsconf set-server-prop ldap-port:disabled
  After the compulsory restart, I was no longer able to bind a client (even if I tell it to connect on port 636) :
  root@ldapclient #/> ldapclient init -v -a profileName=SB -a domainName=unix.mydomain.com -a proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain
  ,dc=com ldapserver.mydomain.com:636
  Parsing profileName=SB
  Parsing proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  Arguments parsed:
  proxyDN: cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  profileName: SB
  defaultServerList: ldapserver.mydomain.com:636
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  __ns_ldap_list return NULL resultp
  findBaseDN: Err exit
  LDAP ERROR (85): Error occurred during receiving results. Timed out.
  Failed to find defaultSearchBase for domain unix.mydomain.com
  I know my certs are good as ldapsearch returns data as I would expect...
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com uid=myuser
  returns my userid.
  There is an anonymous read only ACI in place:
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com -s base "(objectclass=*)" aci
  aci: (target ="ldap:///dc=unix,dc=mydomain,dc=com")(targetattr!="userPassword")(
  version 3.0;acl "Anonymous read-search access";allow (read, search, compare)
  (userdn = "ldap:///anyone");)
  As soon as I re-enable standard 389 access the client init works fine again....
  Am I missing something here?
  Does the `ldapclient init` command need to make a 389 connection first before it downloads the profile which tells it to use tls:simple and therefore port 636 from then onwards?

  quote:
  SSL enables support for the Start TLS extended operation that provides security on a regular LDAP connection. Clients can bind to the non-SSL port and then use the Transport Layer Security protocol to initiate an SSL connection. The Start TLS operation allows more flexibility for clients, and can help simplify port allocation.
  [http://docs.sun.com/app/docs/doc/820-2765/gdzdc?l=en&a=view]

• Non secure running Java Script! Как с этим бороться?

  браузер не показывает некоторые страницы и пишет: Non secure running Java Script! Как с этим бороться?

  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.com/kb/Safe+Mode
  *https://support.mozilla.com/kb/Troubleshooting+extensions+and+themes

• Webservice get/send securely in non-secure shell?

  Hey all,
  Perhaps I'm btiing off things a bit too complicated for someone who has never used FLEX before, but I've got to do some research and then build a mock sample for the company I work for.
  What we're trying to do is allow users to login via flex to their account w/o ever leaving the current page they're viewing. Currently they are taken to another area and system altogether so as to jump from the non-secure to secure server.
  So the plan is to just click the login button and stay right there the whole time for a seamless experience. I had asked if this was possible at all previously and heard about the SecureHTTPChannel method as well as the SecureAMFChannel one.
  I have gotten Flex to see our wsdl and pull a string of data via the WebService function, throw it in a DataGrid, but honestly have no clue whatsoever where to even start moving towards now in order to get to the intended goal mentioned above.
  Can someone please help point me in a general direction as to what needs to happen and what general methods need to be employed to get there? Thanks for any help!

  This is related to the URL bar autofill feature. Please see these threads:
  * [https://support.mozilla.org/en-US/questions/933563 typing in url for my company website sends it to https index page in Firefox, but not IE or Chrome, and the behavoir is not wanted]
  * [https://support.mozilla.org/en-US/questions/933470 After updating to 14.0.1 Firefox will force https on websites. How do I fix?]