This is the PostToInsecureFromSecureMessage: "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party"

The "PostToInsecureFromSecureMessage" warning can't be suppressed, it is too important. You will get that warning if you go from a secure https connection to an insecure http connection and POST data entered in a form on a secure site is send to an http server.

The warning tells you that you are sending data from a secure site to a non secure http url. You can usually avoid such an alert if you directly go to the login page and not via a link on the http home page that has a redirect back to that page once you have logged on via a secure https connection.

See also [/questions/962465]

Not much help are you?

It is a problem with the server setup and Firefox or you can't do much to avoid this.

You have entered data while using as secure https connection and the server redirects to a web site that has a normal http: protocol, so Firefox informs you about this.
It is up to you to decide how to proceed and you can choose to contact the website to inform them about this and aks them to correct this by using a secure connection in all cases.

You may also be able to avoid this by first signing in and then go to other pages on the server that may not be encrypted. Only if you let the server redirect you you will get this notification.

It is simply unrealistic for Mozzila to expect huge multinational corporations to change the way their site works. The fact is that many logons to many websites are not important enough to warrant this warning. I simply don't care if my session to MSDN forums is hijacked, yet I have to deal with this warning every single time I go to a MS site. It's been this way, as far as I can tell, going back to 2006 and nothing has changed.

Please add a way to disable, or at least, whitelist sites out of this warning. It doesn't have to be an exposed setting. You can bookend it with as many "this is a bad idea" warning messages as you want.

This is seriously pissing off users for absolutely no reason other than Mozilla taking a presumed "high road" to security. The problem is that if you warn too much, people stop paying attention, and this is FAR WORSE than allowing them to ignore this message on sites that behave badly from a security perspective for which the end user *doesn't care*.

Mozzila, I don't think you really understand how often this warning comes up. I have already logged in to the secure site and have conducted & concluded my business, but I get this warning when I leave the secure site to continue on. Very Very Annoying. Even with Microsoft IE I do get this pain in the ass. What is wrong with you that you keep sprouting this drivel? You have many complaints that this is unacceptable and unnecessary. Its an easy fix so just make it happen and stop making excuses.

So I decided to see if there was a way to work around this using Greasemonkey and I did figure it out for Microsoft sites. I uploaded the script here: http://userscripts.org/scripts/show/173384

Basically it looks for the insecure connection in form submissions when going through the "live.com" authentication process and then changes http to https.

This method should be able to be adapted for other sites where the warning appears.

Hi outaluck, you said this comes up often, but you should not get this message when you navigate from a secure site to an insecure site using a link or using a GET request, only when a POST is submitted from a secure site to an insecure site. Is that really a common scenario?

Are there particular sites you use regularly that have this problem and, if so, can you give a URL or two?

@jscher2000 - Speaking for myself and trying not to totally hijack this thread... Log into a Microsoft site using a Microsoft ID. For example, MSDN or TechNet forums. If you don't get a warning at that time, Google for any Microsoft KB, or tech support topic (easiest search). Click on the link. It will bounce briefly over to live.com to verify your account. When it does this, the warning appears. This is for *every* microsoft page found via Google (or Bing) that requires a logon. I got the warning 20-30 times per day in normal usage until I made that Greasemonkey script.

EDIT: I should point out that in this particular case, what is happening behind the scenes is that a page is rendered out with a form and then javascript is submitting the form, so that's how it ends up being a POST and not a regular redirection. Why it was designed this way, I have no idea, but it's Microsoft, so it's probably better not to ask.

I've seen it on other pages, but I can't think of them offhand because it was just random sites I found on google. Hopefully outaluck can give you more examples. But I really think the hundreds of thousands of pages on Microsoft alone should be sufficient to address this. It's not like that's an obscure blog or something.

Internet Explorer has always had the option to disable this warning on a zone. What I would do, in this case, is disable that warning on the Trusted Zone and if I ran into this issue on a site I trusted, I added it to the Trusted Zone. Firefox could implement something similar where you have basically a whitelist of sites in some settings in about:config that ignore this warning for those sites only. That way the security warning is enabled across the board unless a specific site is annoying you and you don't care.

If you need the example to be specific, here you go.

1. Go to http://social.technet.microsoft.com/Forums/systemcenter/en-US/fe0b74d7-0f27-4124-a8f6-c2b8918f793f/sccm-2007-r2-policy-table-large-and-growing-fast

2. Log in (upper-right corner)

3. Google for kb2808679

4. Click on the link and the warning appears after the redirects.

Hi thx1200, thank you for that example. Microsoft seems to be doing something special with MSKB for logged-in users related to translations, which generates the annoying dialogs. Definitely makes you want to log out of your Microsoft account.

I think a per-site permission is a good idea. Perhaps it is the pair of sites, the from and to, that you would approve. The CheckPost() function which detects secure-to-insecure posts knows both the URL on which the form is hosted and the URL of the destination, so that should be possible. Not that I have any idea how it would actually be done in code.

Mozilla folks.. i started having this problem just recently after installing Firefox 22, the worst update you have ever released. This warning appears constantly regardless of how I get to webpage. I have read all the articles on this issue and it seems the best reply you can offer is something along the lines of 'put up with it because it's for your own protection.' Please, don't patronize us. You have really messed up badly with Firefox 22 yet you don't seem to be willing to own up to it. I came to the Support page looking for help with this issue, among other issues that started right after Installing stupid Firefox 22, but all I read is a bunch of BS excuses and no solutions. Many of us don't have to time or care to be tweaking and retweaking this or that every time you come up with a new idea you 'think' we will love.You have made me waste precious hours fixing all the problems you cause with your irresponsible attitude. And now you are venturing into the mobile phone business, yet you can't get release regular updates without creating havoc with our settings. I certainly would discourage anyone from even checking out your new services. I don't know what has happened at your end but you have certainly changed and it's not for the better. I'm, about to ditch Firefox altogether, not that you seem to care one way or the other. I tend to be a loyal customer but I'm sorry to say you have lost my trust and you are not doing anything to regain it. Please reconsider your self-serving replies, eat some humble pie and start to come up with solutions to the problems you have caused us before it's too late to recover your prestige. Thank you.

Hi Misuko, unfortunately as you know there is no configuration option for this issue.

Is there a particular site that torments you, like the above example of MSKB for logged in users? We might be able to assist with a workaround.

There are support volunteers here, not Firefox developers or UI designers, so workarounds are what we can offer. You also can make your voice heard using

Help > Submit Feedback

Hello, yes, this is total BS. I cannot express my annoyance enough.

While I know nothing much about details about computers, I suspect it has something to do with government having access to information as to what we are looking at (or something??). This way it is protected by saying that a warning that accessing an undsecured site was issued.

Or something like.. I'm busy doing other things so I haven't entirely worked out the link, but it's SUSS - I mean, what the hell is this?? I 'm doing research here and every google page I go to - which should be around 100 a day - I'm getting one, sometimes 2 frueaking annoying alerts that I have to attend to - as well as a "ding" noise to go with it. WTF Firefox?

No, I haven't downloaded or updated it recently. I rarely accept updates too, so how the hell has this come about?

I don't care what the reason, just get rid of it (are you serious??). Forget it I'll use another browser.

BS.

Hi SecurityWarningStress, if you see it again, this might be a useful clue:

I'm busy doing other things so I haven't entirely worked out the link, but it's SUSS - I mean, what the hell is this??

Also, following links from Google should not POST data to sites, so you should not get the error mentioned in this thread. Well, it depends on the sites you're visiting. In the Microsoft example above, if you are logged in to your Microsoft account, a hidden form might be submitted along the way. (The difference between a GET request and POST request is that a GET loads a URL and a POST submits a form.)

If you don't want to update Firefox, you should run an updated version of a different browser for security reasons.

Hi,

perhaps it's a google thing.. it happens many times over, including in the one browsing session(!) just when I'm googling.

I've changed search engine and it's ok now.

Being spied on sucks.

Requiring GET parameter to avoid this problem sounds quite like somebody is not understanding the basics of SAML2.0 which allows only artifact or POST. For example Google uses POST so this has to be solved in a different way than just asking to use GET. Probably the issue with MS is the same, don't really know what's behind the scenes there, though.

Many organizations use the same SAML2.0 IdP for internal and external authentication so the IdP server has to be SSL protected where as many feel that they don't want/need to enable SSL for internal applications and thus run into this problem.

Just make it configurable.

The problem is a simple one and easily solved.

What's happening is that the user is logged into a secure site somewhere and has checkmarked the option to "Stay signed in". This means that even when you exit Firefox, you remain signed into to the secure server wherever that may be.

Now then, when you visit a site somewhere which isn't secure, that is to say, is prefixed with http:// instead of https:// and that site is related in some way to the one you opted to remain signed in with, the warning dialog appears to advise you that the information you have entered is to be sent over an "unencrypted connection and could easily be read by a third party etc."

To prevent the warning from appearing, log out of the site where you opted to remain signed in. It's that simple.

Here's an example which you can try to prove it to yourself. This assumes you have a Hotmail account.

Go to Hotmail, log in and checkmark the option to stay signed in. Close Hotmail, but don't log out.

Next, go to any Microsoft knowledge base article such as this one: http://support.microsoft.com/kb/2908279/en-gb

Firefox will display the dialog box because you're logged into Hotmail which is a secure site while the KB site is unsecured.

Top right of the KB site, you'll see your login details together with the option to log out. Logout and then reload the KB link. I guarantee you won't see the warning dialog because you're no longer logged in to the secure hotmail site.

Hope this helps.

I get this message twice every time I try to access a microsoft.com page from a link. I am not intentionally "posting" anything. I guess I'll have to move to Chrome ;-(

But to use Microsoft Answers you have to be logged in, then clicking on any link to a KB article I get 2 security messages. Why can't this be turned off?

No I have not entered data. No I have not entered data. No I have not entered data. No I have not entered data.

It happens twice when clicking on a link to any Microsoft KB page.