Firefox: disable "This Connection is not Secure" warnings
Firefox displays "This Connection is not Secure. Logins entered here could be compromised" warning messages when sites don't protect their login pages with HTTPS.
The idea behind the feature is to display a visual reminder to Firefox users that the data that they enter into a form is not protected when they hit the login or submit button on websites that don't use HTTPS.
While that is a handy reminder for many inexperienced Firefox users, experienced users may not find it super handy to have.
The main reason for that is that you can look at the page address, or the lock icon, displayed in the browser's address bar to see the same thing. If there is a red strike-through lock icon, and if the site is not using https, then anything that you enter on the site and submit is not encrypted and thus readable.
This Connection is not Secure
The prompt, as useful as it may be to some users, may cause two issues for other users. First, it prevents that login information is filled out automatically on affected sites.
Firefox's password manager won't fill out the information automatically, so that you need to do so manually in some way. This may be the sane thing to do on new sites, but if you are a regular on a site that has not just yet switched to HTTPS, you may trust the site enough to want Firefox to continue filling out the information to improve the login process.
The second issue is not as dramatic, but the prompt may overshadow other page elements. If the username and password prompt are displayed vertically, the username prompt warning may overshadow the password field.
Mozilla notes that you can just hit Enter to dismiss it, but this did not work for me. Whenever I hit the Enter-key, the data was submitted. Clicking outside the box helps however and dismisses the box.
Disabling the contextual warning
Here is how you disable the "this connection is not secure" warning in Firefox:
- Load about:config in the Firefox address bar and hit the Enter-key.
- Search for security.insecure_field_warning.contextual.enabled.
- Double-click the preference.
The default value of the preference is true, which means that the feature is enabled and that Firefox will display warning prompts when you activate insecure login fields. If you set it to false, those warnings are not shown.
Toggling the preference won't have any effect on the automatic filling out of forms on HTTP pages.
You need to modify another preference of the Firefox web browser for that.
- Open the about:config page again.
- Search for signon.autofillForms.http.
- Double-click the preference.
The default value of false prevents the Firefox web browser from filling out form information on HTTP pages. If you set it to true, Firefox will auto-fill form pages on HTTP pages as well.
The warnings will become less and less as time passes as more and more sites will migrate to HTTPS.Â The warnings may raise awareness, and that is definitely a good thing. Statistics on how many users are leaving the login pages of sites where the warning message is displayed would be useful
Now You: Do you find the prompts useful?
Anyone in programming, I.T. or customer support knows that these things are totally useless. Just a mild annoyance to those who know what they’re doing. The rest will click through everything. We already have popups about cookies, fullscreen, location, camera/mic. Why not just put up a giant warning when starting a session, saying “The internet is bad, mmmmkay?” You really can’t teach adults how to be careful, trustworthy, responsible, etc. Not by laws and certainly not by warning labels.
I agree that the cookie warnings are just unnecessarily annoying. However, I definitely think that it’s a good thing, that your browser asks you, if you want to share your location data or if you want to give the site access to your mic/camera. Otherwise everybody would just do it. Or would you prefer e. g. Google listening and literally watching you all the time?
> Or would you prefer e. g. Google listening and literally watching you all the time?
You don’t really have a choice.
As if a single half-assed notification will stop Google Analytics from keeping watch on you.
> You really can’t teach adults how to be careful, trustworthy, responsible, etc. Not by laws and certainly not by warning labels.
That’s untrue, see the food market as an example. Informed users make decisions based on information provided, it just needs to be presented in a way that lets us take a decision after just a quick glance at it.
Warning fatigue is slightly different and is indeed related to “getting in the way” and “being obnoxious”.
“but if you are a regular on a site that has not just yet switched to HTTPS, you may trust the site enough to want Firefox to continue filling out the information to improve the login process.”
It doesn’t have anything to do with trusting the site tho, does it? The website sees what your doing anyway. Correct me if I’m wrong but isn’t https more for protection of man-in-the-middle attacks then for anything else? Requested http sites can be manipulated and read from anybody inside your local network as well as from anybody else that sits between you and the actual site.
So it’s not actually about trusting the website but trusting your local network, your ISP etc.
You are right, that is the most important factor.
Hi, has signon.autofillForms.http to be on false (default) oder true?
Please don’t set a dot behind about:config-terms like signon.autofillForms.http … some guys may copy the dot too, which causes trouble. ;)
If you want auto fill on insecure pages (HTTP), you set the value to true.
An company/developer (stupid) reported about this on BMO (Bugzilla @Mozilla) called: Oil and Gas International (search Oil and Gas International Mozilla) see https://arstechnica.com/security/2017/03/firefox-gets-complaint-for-labeling-unencrypted-login-page-insecure/ and https://www.bleepingcomputer.com/news/security/developer-complains-firefox-labels-his-site-as-insecure-hilarity-ensues/
I find this feature very useful. as for sites that I visit regularly, I recently chose to send a mail( alias of course ) with screenshots asking politely if they would please consider to migrate to HTTPs. so far 2 sites did.
“A site that has not just yet switched to HTTPS” needs to be avoided. An SSL Certificate is inexpensive enough for any site that is worth visiting. If the admin of a site is so inexperienced and cheap that he/she won’t/can’t’ add a simple feature, then the site should be boycotted, blocked, avoided, denounced, trashed, hacked–whatever it takes–to wake the lazy creature from the slumber of stupidity and gross negligence. SSL is really a feature that tells visitors that “We care.”
Donation Coder, by the way, uses https://–
Not true. If it’s an informational site there is no value in making it https. Especially if there are no accounts involved. Sure I believe responsible sites -should- do it. There is no danger in going to it, other than pissing off https zealots, and that might be a good reason to leave it at just http, just knowing there are such zealots rage quitting your site.
How is an ssl certificate cheap. Most I have seen cost money and as I only play with websites as a hobby I dont need to be tolld its insecure.
whats worse is not being able to access my webhost manager as even adding an exception leads to a 404.
its more money grabbing for someone.
What takes the biscuit is when you get a warning — not this type, the one that covers the whole page and refuses to take you there, saying the site is not secure or something — for security-related sites.
anyone know if this can be applied through a group policy setting on windows domain?
have not dug into firefox adm files to see.
This feature doesn’t bother me as I rarely encounter it.
What is Far more annoying are the useless dialogs that complain about an ‘invalid (https) site configuration’ or somesuch AND REFUSE to provide more details AND an option to ‘Proceed With Caution’.
The unsupervised dev-children at Mozilla are Really starting to annoy me.
Thanks. Very help me!!! :)
Thanks for this info. I run a remote desktop connection to my server, where I login to my SmarterMail installation for administration purposes. Whilst I can see how these warnings might have some use, they are just annoying on LAN based remote desktop connections. They also prove to be extremely annoying in login boxes, where the warning obscures the bottom text entry box… as is the case with SmarterMail.
Sadly, this is all too common with Firefox’s attitude to users and functionality. It’s a case of “Sod the users, let’s just make a point”. Thankfully, there are users like yourself who are providing the solutions that the Firefox team couldn’t be bothered to think about. They need to remove the blinkers every now and again and take a good look at the real world.
I agree. It’s still a problem in 2021. I run a bunch of internal servers on my home lan without installing certificates on their web interfaces.
Firefox will never learn.
i have windows 10. i tried the 2 steps above but it still doesnt work, still say connection not secure, any suggestions?
Thanks a lot. that was useful.
thanks to this stupid alert I have two fuckings hours dealing with selenium because when I execute the method accept in the alert. it redirects me to the main page of login, thank you so much firefox for wasting my time.
The warnings come up on (and interfere with) our company internal pages that we must use to log and track our jobs. No one outside this company would give the slightest shit about what’s on these pages. So the warnings are a constant useless annoyance. Thanks for providing the means to make them go the hell away. Firefox has become so consistently annoying in the last couple years. Don’t get me started on New Tab behavior. Ugh.
Still I can’t open the page I want. Im going to use Chrome :-(
Firefox continues to annoy me with this kind of crap. My first reaction was to switch to Chrome.
This doesn’t work from within my corporate intranet. I’ve tried it over several days. About 80% of external tech sites cause this error. It is very challenging to find anything without adding exceptions that get erased.
Maybe I have a related problem. The more recent pop-up is “SEC_ERROR_UNKNOWN_ISSUER” which occurs even on most https sites.
I uninstalled Kaspesky internet security software. I problem disappeared.
This works for me …
The security.insecure_field_warning.contextual.enabled = false setting has stopped working for me. It does not work in Firefox 104.0.2 in Debian.
If i find it useful? Since security.insecure_field_warning.contextual.enabled = false doesn’t work anymore, the most useful thing i can do is to kill firefox of my computer!
Such a bullshit sry, but that’s ridiclous! There are countless devices which are not encrypted, like for example my router in my home network! And that bullshit browser doesn’t let me log into it, fuck off firefox! I switch back to chrome even when i know, my things get tracked there because i need something that works!
nice. it was helpful