Starting in version 36, Firefox no longer treats RC4 encryption ciphers as secure because they are breakable (i.e., a sophisticated attacker could decrypt the data you exchange with the server). Firefox does not have a specific message in the UI to let you know this, but if you look at the site in Google Chrome, click the padlock, and view the Connection information, you will see this specific issue mentioned there. (Screenshot attached for reference.)

eBay, on the other hand, gives me a green lock. (Screen shot attached.) So that one is more alarming to me if you get a warning there...

Note that Firefox shows warning messages in the Browser Console and in the Web Console

• https://developer.mozilla.org/Tools/Browser_Console
• https://developer.mozilla.org/Tools/Web_Console

This site uses the cipher RC4 for encryption, which is deprecated and insecure. www.huntington.com
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More]

• https://developer.mozilla.org/en-US/docs/Security/Weak_Signature_Algorithm

cor-el said

Note that Firefox shows warning messages in the Browser Console and in the Web Console

• https://developer.mozilla.org/Tools/Browser_Console
• https://developer.mozilla.org/Tools/Web_Console

This site uses the cipher RC4 for encryption, which is deprecated and insecure. www.huntington.com
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More]

• https://developer.mozilla.org/en-US/docs/Security/Weak_Signature_Algorithm

What this does not explain is what's actually going on.

As far as I know, if a website supports a wide range of encryption ciphers, in a specific order, the browser will use the best one first. There are still lots of browsers out there that only support RC4, so sites cannot really turn this off.

What I would like to know is, does the grey ! and the console warning mean that the site you are connecting to supports RC4, and therefore be careful, or that you are currently connected using RC4 cipher, which is very different indeed...

wcndave said

What I would like to know is, does the grey ! and the console warning mean that the site you are connecting to supports RC4, and therefore be careful, or that you are currently connected using RC4 cipher, which is very different indeed...

It means the second one: Firefox couldn't connect with a cipher better than RC4 so that is what is in use.

Some servers actually offer only one cipher, probably for maximum backwards compatibility. You can use the following test page to see what ciphers are offered: https://www.ssllabs.com/ssltest/

jeffk1 said

Every time I try to log in to my bank's secure website with Firefox at https://www.huntington.com/ I get a grey triangle icon with exclamation point and the message when I hover over is "This website does not provide identity information".

The huntington.com online banking site is currently using obsolete, substandard SSL security algorithms, which IMHO is completely inexcusable for a financial institution. I wrote a complaint to their security department at idtheft@huntington.com and highly recommend other customers complain loudly as well, to make this a higher priority for them.

Below is their response. It has the feel of a form letter and is not signed by the unnamed author.

From: <Mailbox-IDTheft@huntington.com> Subject: RE: Huntington.com website security question

We are dedicated to your online safety and security and use sophisticated technology to provide a secure online experience. However, we also continually strive to remain on the cutting edge of Internet technology which is why we are in the process of further strengthening our SSL security to meet the increased security requirements that Chrome and Firefox recently implemented.

IT Security Analyst

The Huntington National Bank 7 Easton Oval EA3W21 Columbus, OH 43219 huntington.com