HTTPS laggard complains when Firefox warns of insecure login page | Ars Technica UK


The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla’s Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn’t suitable for the transmission of passwords.”Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission,” a person with the user name dgeorge wrote here (update: the link is no longer public). “Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.”
Update: Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what’s known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can’t confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this update was made.

Source: HTTPS laggard complains when Firefox warns of insecure login page | Ars Technica UK