Firefox Site Identity button
Hi I have a problem with the identity button feature as it is also described here: https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure?as=u&utm_source=inproduct
What led to this article is a situation in which I was redirected to paypal from another site, in order to complete a purchase. (see the attached picture)
As seen in the picture the URL is marked with the gray Triangle, and I am wondering what exactly does the message "The site does not supply identity information" mean. 1. Can it be that this site not "paypal.com", although it is written in the URL? 2. If it is paypal, is it not safe to complete the transaction? 3. Is it possible that Paypal does not have certificate?
I checked the last question, simply went directly to paypal.com . I got the green padlock.
My feeling is that in many cases, the saying "Can't see the forest for the trees" somehow describes the situation a regular user is tackled with. The differences between "The site does not supply identity information" (gray Triangle) "The website's address has been verified" (Gray padlock) "The connection between Firefox and the website is only partially encrypted and doesn't prevent eavesdropping" (Orange Triangle) Are not really clear, and it is not clear whether THE IMPORTANT DATA is safe or not. What or why do i care if the image is not encrypted, if the credit card details are? Please advise
tx
Soluzione scelta
If the image that is not being served securely is from a URL you believe you can trust and that is related to the transaction, then I personally wouldn't worry too much.
You could block the image temporarily if you like, and then unblock it when you return to the site. To block images from a site, right-click a blank area of the page, choose View Page Info, then the Media icon at the top. Find the problem image in the dialog and then check the box above the preview area in the lower part of the dialog to block images from that site.
Close the dialog and reload the page, and there should no longer be mixed content.
To undo that, when you return to the main site, you can find a blocked image on the Media panel and uncheck that box.
Leggere questa risposta nel contesto 👍 2Tutte le risposte (14)
"why do i care if the image is not encrypted, if the credit card details are?"
Not an ideal situation to do a financial transaction when that grey triangle is showing. Any non-encrypted connection could conceivably create a vector for a "man-in-the-middle attack", especially if the transaction is made thru a WiFi access point. Steganography can be used to embed malicious code in an image file, and quite possibly send a copy of data to a different server.
If there is mixed passive content (e.g. images) then Firefox shows an exclamation mark instead of "Site Identity Button" (globe/padlock) on the location/address bar.
You can check in the Web Console (Firefox/Tools > Web Developer) what content is involved.
Check on the Network tab if content is marked with a red warning. You can reload web page(s) and bypass the cache to generate a fresh log.
- Hold down the Shift key and left-click the Reload button
- Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
- Press "Command + Shift + R" (Mac)
Thanks
cor-el said
If there is mixed passive content (e.g. images) then Firefox shows an exclamation mark instead of "Site Identity Button" (globe/padlock) on the location/address bar. You can check in the Web Console (Firefox/Tools > Web Developer) what content is involved. .....
This is my point. At least part of it...These tools are aimed to developers, who can read and understand this stuff. Most people can not....
the-edmeister said
"why do i care if the image is not encrypted, if the credit card details are?" Not an ideal situation to do a financial transaction when that grey triangle is showing. Any non-encrypted connection could conceivably create a vector for a "man-in-the-middle attack", especially if the transaction is made thru a WiFi access point. Steganography can be used to embed malicious code in an image file, and quite possibly send a copy of data to a different server. https://en.wikipedia.org/wiki/Man-in-the-middle_attack
I went over the Man-in-the-middle_attack article not my field so I have difficulties to understand it fully. ...does it mean that even though the password for instance is encrypted, the third party can actually decrypt it, and use it later? As I understand it ALL data on the web is exposed and can be intercepted, and because it is encrypted, it doesn't really matter. Do I get it right?
I don't understand it completely, either. I'm more of a "hardware guy". MiM has a lot more to do with the data stream that is being transmitted than merely with the password. One mixed content connection could leave you vulnerable. IMO, PayPal oughta know better. And usually it is advertisements that make for the "mixed content" warning that we see.
I am really confused. It should be either safe or not. What a user should do with such warnings...I really do not understand. Is it possible to site like paypal will knowingly will be unsafe? Is it possible to it will enable its partners, like in my case a shopping site, make the transaction unsafe?
Is it really the third party fault?
If yes, Paypal is big and strong enough to enforce better security on everyone who wants to work with it. ...
I checked the same transaction with Google chrome (attached image) They also indicate something about something is not safe, but it looks like they make the distinction between paypal and the other site. It feels a bit more secure. But I admit, I am confused. Very.
I love to hear someone who can explain this better...
tx
That last screenshot seems to indicate that a weak or obsolete cipher suite is used, but there seem to be elements on the page that are retrieved via an open HTTP connection.
Can you post a link to this specific Paypal page, so we can check the content?
Do you see any HTTP links in "Tools > Page Info > Media"?
You can try to use this extension to see more details about the connection.
Confusingly, the gray triangle can be generated by either of those problems, mixed passive/display content, and a poor level of secure connection. But it's strange that a payment provider like PayPal would have either of those issues.
Sorry for the late response
cor-el said
That last screenshot seems to indicate that a weak or obsolete cipher suite is used, but there seem to be elements on the page that are retrieved via an open HTTP connection.
It is strange for me that paypal allows this...Although I am not sure, bottom line, whether it is safe or not...
cor-el said
Can you post a link to this specific Paypal page, so we can check the content?
Not really. It is not a direct Paypal link. This page is generated when one chooses to pay for a purchase using Paypal, than he is redirected to paypal to a page displaying on the left the shopping chart from the site with its logo, and on the right side, the paypal login and confirmation. This time I bought from geekbuying.com geekbuying.com. Simply registered the site, start a purchase process, choose Paypal payment, and you will get the same page.
cor-el said
You can try to use this extension to see more details about the connection.
See the attached image
cor-el said
Do you see any HTTP links in "Tools > Page Info > Media"?
See the attached image. The only HTTP link is the site logo image.
tx
I assume the site passes the address of its logo when it sends you to Paypal, so probably the site needs to change that little bit of code to open the logo from an HTTPS URL. Or if they don't have an SSL cert for their site, then... you end up with mixed content.
I'm sorry...but what is the conclusion here? Is there any at all?
Soluzione scelta
If the image that is not being served securely is from a URL you believe you can trust and that is related to the transaction, then I personally wouldn't worry too much.
You could block the image temporarily if you like, and then unblock it when you return to the site. To block images from a site, right-click a blank area of the page, choose View Page Info, then the Media icon at the top. Find the problem image in the dialog and then check the box above the preview area in the lower part of the dialog to block images from that site.
Close the dialog and reload the page, and there should no longer be mixed content.
To undo that, when you return to the main site, you can find a blocked image on the Media panel and uncheck that box.
IMO, Mozilla / Firefox is being overly cautious with that "only HTTP link is the site logo image", more so than most other browsers might be with a solitary image. But considering the current state of the internet with seemingly everyone getting hacked is "overly cautious" a bad thing?
When doing a financial transaction I won't proceed unless there is a gray or green lock being displayed. And when the Site Identity button was first introduced if I encountered a "mixed content" warning - I wouldn't proceed and I would contact the website about it. Some websites responded and thanked me for reporting it - they fixed their website. While others came up with crap like "no problems with IE or Chrome" and advised me to use a different browser - those websites lost my business due to not taking their responsibilities towards security seriously. Really. how hard is it to have another copy of that image on a secure server? IMO, sloppy security to break the connection status for that transaction with that image coming from a non-secure server.
jscher2000 said
If the image that is not being served securely is from a URL you believe you can trust and that is related to the transaction, then I personally wouldn't worry too much.
Although I made the transaction at the time, and started to check this after because it bothered me, I can not say that "believing" should play a role here.
Regardless of the origin site. If there is a hole, it can be used by also a third party.
I will try to ask paypal why they allow this (although I doubt they will respond), and the shopping site as well. Interesting I think.
jscher2000 said
You could block the image temporarily if you like, and then unblock it when you return to the site. To block images from a site, right-click a blank area of the page, choose View Page Info, then the Media icon at the top. Find the problem image in the dialog and then check the box above the preview area in the lower part of the dialog to block images from that site.
I tried that, and after reloading the page, security warning was gone. the button became green padlock. Thanks. I now understand better.
the-edmeister said
IMO, Mozilla / Firefox is being overly cautious with that "only HTTP link is the site logo image", more so than most other browsers might be with a solitary image. But considering the current state of the internet with seemingly everyone getting hacked is "overly cautious" a bad thing?
I didn't mean to say "only the image, so it is not important" I meant "There is only one like. Fact"
Not bad to be cautious, but I think something is missing here. I bet 90% of the users would not know what to do with that warning (if they will notice it at all). They simply wont understand the bottom line. So, they simply will ignore that. And that is missing the main issue, security. The way Firefox (as well as chrome) is handling such a case, is not so good. I think.
Hi OJNSim, Firefox does have the option to block insecure display content in a secure page. By default, only insecure active content is blocked. If you want to try the more aggressive setting, you can change that here:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste mix and pause while the list is filtered
(3) Double-click the security.mixed_content.block_display_content preference to switch it from false to true
I'm sure there is a document somewhere on why the defaults are set as they are but since this is a rather old feature now, I can't recall what I've seen.