On my Mac and PC, 'connection is not secure' lock appears intermittently on my own site, refresh the page, it goes away?
On my site, www.raildig.com, the 'connection is not secure' lock appears intermittently. This happens on my Mac and PC, and I'm not running anti-virus software on the Mac (High Sierra). If I refresh the page, the lock sometimes goes away, refresh again, it may come back. Seems very random.
This site has no login section for users. Is there a tool to track down why I'm seeing this 'connection is not secure' lock?
Thanks, John
All Replies (13)
This is likely caused by the presence of mixed content. I see a lot of messages in the Web Console about "Loading mixed (insecure) display content" if I use a HTTPS connection and not an open HTTP connection.
Modified by cor-el
I would understand if this was a secure site, but from the page you linked to:
When an HTTPS page has HTTP content, we call that content mixed
My homepage, my site, is not a secure site, there was never a need to be. Seems FF is applying secure site rules to a non-secure (by design) site.
Also the fact that upon refreshing the homepage, the lock with a red line over it sometimes appears, sometimes doesn't appear is strange too. This really does seem to be an issue with FF.
Modified by JPC60
Well there go a few hours that I won't get back. This 'connection is not secure' lock appearing intermittently has become really irritating with no end in sight.
Now the warning lock read, 'Logins entered on this page could be compromised', except there are no logins on my pages, any of them.
I've gone through this as much as I'm able to, and though free and a great browser otherwise, this FF behavior is really annoying and a potential problem is users avoid my site as a result.
If FF can detect this phantom problem it sees, might be nice it it spelled out what it thinks the problem is.
You can remove the warning in the location bar by setting this pref to false on the about:config page.
- security.insecure_password.ui.enabled = false
You can disable the warning that opens when you type in a name/password field by setting this pref to false.
- security.insecure_field_warning.contextual.enabled = false
You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.
Thank you, I know I can do this but I was trying to determine why FF was doing this 'connection is not secure' in the first place. My concern isn't that I see it, as much as visitors to my site seeing it and being put off as a result.
Unless I'm wrong, and that's very possible, this looks like FF is overly aggressive in warning people about a problem that doesn't exist. Again if I'm wrong I'd be more than happy to fix whatever the problem is.
Again here's the site: http://www.raildig.com/ And the warning FF gives: Logins entered on this page could be compromised
Where are the logins? Seems like a mistake from FF, doesn't it?
Modified by JPC60
It's not you, it's Twitter. But it's partly you.
I run the NoScript extension, which blocks scripts from http://twitter.com by default. (Firefox's Tracking Protection feature also blocks it.) If I make an exception and allow the script to load, it triggers the "slashed lock" icon. (See attached screenshot.)
Suggested workaround: change all of your Facebook and Twitter <script src=""> URLs to HTTPS links to bypass this issue. I can't test that on your site, but I think it should work. And it's much better for your users than having Firefox potentially pass their social site credentials and/or cookies over an insecure connection.
Actually, that turns out to be a bit difficult to find. In this script (I have broken the lines to make it post-able):
<script>!function(d,s,id){
var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';
if(!d.getElementById(id)){js=d.createElement(s);
js.id=id;
js.src=p+"://platform.twitter.com/widgets.js";
fjs.parentNode.insertBefore(js,fjs);
}
}(document,"script","twitter-wjs");</script>
Try:
<script>!function(d,s,id){
var js,fjs=d.getElementsByTagName(s)[0],p='https';
if(!d.getElementById(id)){js=d.createElement(s);
js.id=id;
js.src=p+"://platform.twitter.com/widgets.js";
fjs.parentNode.insertBefore(js,fjs);
}
}(document,"script","twitter-wjs");</script>
Holy Moly... this is incredibly nice of you! I will try this tonight when I get in but I just wanted to quickly say thank you!
I did use your correction suggestions with FB and Twitter. It worked with FB, but not Twitter. Just for the heck of it I tried a few Twitter feed plugins, all resulted in the red slash through the lock warning.
I've decided just to pull the Twitter feed from my site and leave a simple Twitter logo link to my Twitter page. Hey, it's a 50% success rate with my social media feeds!
Thanks again very much for the help, and I do wish Twitter would have played nicer, but that warning on my site just isn't worth it for a Twitter feed.
Hi John, if you decide to re-add the Twitter widget, see whether they have an option to force HTTPS instead of using the same protocol as your page. Or paste my code example.
I actually did paste your example code, but got the slashed lock again. Very strange. Poking around online I see this isn't a rare occurrence. You'd think Twitter would have this sort of thing addressed.
Wouldn't it work if you leave out the protocol and only use the "//" ? Normally that would make a browser use the same protocol as the main page or are there browsers that do not support this?
cor-el said
Wouldn't it work if you leave out the protocol and only use the "//" ? Normally that would make a browser use the same protocol as the main page or are there browsers that do not support this?
I think we need to force HTTPS to prevent Firefox displaying the insecure login form warning icon.