Firefox: Too Secure?

Created by Justin D. Trout (Association Technology Solutions (ATS)) on May 24, 2005

Of course there's no such thing as too secure - at least not in my mind. But I did run into an interesting happening with Firefox this morning that I thought I'd share. As I researched the problem, I noticed that there was very little documentation about it on the Web, so I'll add to that a bit. But I'm getting ahead of myself...

A user was registering for the 2005 EDUCAUSE/Dartmouth PKI Deployment Summit (with Firefox, of course). He was not logged in to the site, so when he clicked "Register online using our secure server", he was presented with a login screen. The login page was, obviously, https. However, when he entered his information and clicked the "Log In" button, he got a popup that read as follows:
Although this page is encrypted, the information you have entered is to
be sent over an unencrypted connection and could easily be read by a
third party.
Wow, that's not cool! EDUCAUSE is very concerned about security - jumping out of a secure connection is a rookie mistake that I just wouldn't make!

First stop was the code. Nothing unusual there, all of my URLs were relative, so we couldn't have been losing https along the way... So off to Google. After a bit of looking, I found one suggestion that hit the nail on the head. The way the login is implemented, the login form submits to a javascript. The javascript does some setting of form variables and such depending on the page you're logging in from, then submits the login form. It turns out that Firefox, because it doesn't know exactly what the javascript is going to do on the client side, has to assume that the javascript is submitting the form data to an unencrypted page. Even though that wasn't the case here, that's where the popup message was coming from. So it was an easy fix - change the form action to the actual destination, and move the call to the javascript function to the onsubmit action of the form. Sure enough, problem solved.

I think this illustrates one of the great features of Firefox, though. Sure, as a developer, I'm annoyed that they don't interpret the javascript first and popup a message only in the case that it's necessary. However, as a regular internet user, I'm so happy that there's a browser option out there that takes security this seriously. It won't surprise anyone reading this to hear that Internet Explorer didn't question the security of that process at all. Score one more for Firefox.

JT's blog
Login or register to post comments
5449 reads

		Firefox: Too Secure? Created by Justin D. Trout (Association Technology Solutions (ATS)) on May 24, 2005 Of course there's no such thing as too secure - at least not in my mind. But I did run into an interesting happening with Firefox this morning that I thought I'd share. As I researched the problem, I noticed that there was very little documentation about it on the Web, so I'll add to that a bit. But I'm getting ahead of myself... A user was registering for the 2005 EDUCAUSE/Dartmouth PKI Deployment Summit (with Firefox, of course). He was not logged in to the site, so when he clicked "Register online using our secure server", he was presented with a login screen. The login page was, obviously, https. However, when he entered his information and clicked the "Log In" button, he got a popup that read as follows: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Wow, that's not cool! EDUCAUSE is very concerned about security - jumping out of a secure connection is a rookie mistake that I just wouldn't make! First stop was the code. Nothing unusual there, all of my URLs were relative, so we couldn't have been losing https along the way... So off to Google. After a bit of looking, I found one suggestion that hit the nail on the head. The way the login is implemented, the login form submits to a javascript. The javascript does some setting of form variables and such depending on the page you're logging in from, then submits the login form. It turns out that Firefox, because it doesn't know exactly what the javascript is going to do on the client side, has to assume that the javascript is submitting the form data to an unencrypted page. Even though that wasn't the case here, that's where the popup message was coming from. So it was an easy fix - change the form action to the actual destination, and move the call to the javascript function to the onsubmit action of the form. Sure enough, problem solved. I think this illustrates one of the great features of Firefox, though. Sure, as a developer, I'm annoyed that they don't interpret the javascript first and popup a message only in the case that it's necessary. However, as a regular internet user, I'm so happy that there's a browser option out there that takes security this seriously. It won't surprise anyone reading this to hear that Internet Explorer didn't question the security of that process at all. Score one more for Firefox. Cybersecurity \| Data Security \| Web Administration, Design, and Development \| Web Browsing JT's blog Login or register to post comments 5449 reads
		© Copyright 1999-2009 EDUCAUSE Need Help? \| Feedback \| Privacy Policy
	Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members.