Industry News

Login form on your non-HTTPS webpage? Firefox will display a warning

Do you run a website that asks your users to login to their account? If so, do you request those login credentials over HTTP rather than HTTPS?

It turns out that many websites do, including some big names who you would think would know better.

For instance, British supermarket Waitrose and the Royal Mail.


Now, it is possible that the developers of these websites believe that they have protected users’ passwords from hackers by ensuring that anything entered into those fields is posted securely via an encrypted HTTPS connection, but as security researcher Troy Hunt explained a few years ago there is still a problem.

As Troy demonstrates in the above YouTube video, transmitting login credentials over HTTPS does prevent hackers from snooping on the network traffic and grabbing users’ passwords, but it doesn’t stop a man-in-the-middle attack from stealing the password as it is entered into the unsecured HTTP form.

The answer is simple. Put your login forms on HTTPS pages, not HTTP pages. If you are not able to move your entire website to HTTPS just yet then at the very least create a separate login page that is served via HTTPS.

In an attempt to encourage web coders to make their sites safer for users, the latest developer edition of Firefox now warns when you visit a non-secure webpage that includes a form containing a password field.

And, if it finds one, it will display a padlock with a red slash cutting through it in the URL bar.


As Tanvi Vyas explains in a blog post, Firefox has been displaying alerts about the security issue via the Developer Tools Web Console since Firefox 26, but typical users are unlikely to have seen it there.


Since Mozilla and other browser manufacturers have made clear that they are working towards deprecating non-secure HTTP entirely in the long run, it’s clear that the warnings of when a site is found to be insecure are only going to become more and more explicit and prominent.

In other words, sooner or later the regular version of Firefox will warn you about websites like Waitrose and Royal Mail if they ask you to enter your password on an insecure non-HTTPS page.

Indeed, right now you can configure your regular version of Firefox to display a visual warning when you visit a website with an insecure login form:

  1. Open a new window or tab in Firefox.
  2. Type about:config and press enter.
  3. Click past the warning that you will be careful when changing settings.
  4. Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages. If you later wish to disable the option, set the value to false instead.

If you’re a web developer, make sure that you understand the dangers of asking for login credentials on an HTTP page, and fix your site now before your users start complaining about their browser warning them that you are putting them at unnecessary risk.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Hello Graham :-)

    Here’s a good example:

    How about YOU signing up there – and then joining the ‘’ group and spreading news of the need for proper security on line?

    You’ll find the last post there refers to your Christmas video!

    Warm regards

    David (in Devon)

  • Firstly, I find it outrageous for non-SSL sites offering any form of authentication. It’s very inexpensive to implement so there’s really no excuse…

    Sanctions should be held against these companies for lacking basic security.

    I think it’s a good step forward from FF. It might trigger some inquisitive people to question whether they’re doing the right thing before logging on.

    Realistically most will probably ignore such warnings and other safety barriers, finding them a nuisance and not understanding their mitigations.

  • I am a “myWaitrose” member, and I am astonished at their website. Not only was it difficult to login securely (unless you pretend to be registering or joining), but once logged in, the main page is back to plain text http mode again. All of my shopping preferences, are on an unencrypted page. This is a really poor show, in light of recent hacks. Thanks to Moxie Marlinfish on youtube, we can all see how dangerous and easy-to-perform, MITM attacks are.

  • Hello Graham,

    Thank you for posting this news about Firefox. Please note that this preference is available for end users only after upgrade to latest version 44 of Firefox.

    It’s really frightening to see how many German free mail providers (e.g., use http for sign in to their services.

    Warm regards,


  • I have a problem with this I hope you can help with. I have an IP camera on my local network that I log onto and it is just HTTP://192.168.XXX.XXX.
    It asks for a user name and password. It will not allow me in when going through Firefox or Edge. Happened after the Windows 10 update I got on March 14th.