Connection not secure message

[Pee Jay]

When I enter the IP address for my router/modem 10.1.1.1 in the
address bar of Firefox (v52.0) I am now getting this message that I
have not seen before:-

This connection is not secure. Logons entered
here could be compromised. Learn more.

Apparently this is a new feature available starting in Firefox version
51.

I can see that it would be useful for external websites but not for my
local router/modem! It is just an annoyance.

Is there any way to stop the message when going to 10.1.1.1 ?

--
----------------
Pee Jay of Oz
----------------

[Andy Burns]

Pee Jay wrote:

> Is there any way to stop the message when going to 10.1.1.1 ?

Does the router support TLS? e.g. <https://10.1.1.1>

[David E. Ross]

If I change http to https for my router, the connection is refused.

--
David E. Ross
<http://www.rossde.com/>

Paraphrasing Mark Twain, who was quoting someone else:
There are three kinds of lies: lies, damned lies, and
alternative truths.

[Pee Jay]

On Thu, 9 Mar 2017 23:01:22 +0000, Andy Burns <an...@usenet.invalid>
wrote:

>Pee Jay wrote:
>
>> Is there any way to stop the message when going to 10.1.1.1 ?
>
>Does the router support TLS? e.g. <https://10.1.1.1>
>

Thanks for reply

http://10.1.1.1/ works OK

https://10.1.1.1/ gice a 404 not found message

[David E. Ross]

The problem with what you request is that not all routers are at
10.1.1.1. Mine is at 192.168.1.1, and my modem is at 192.168.100.1.

IP addresses in the range 192.168.0.0 - 192.168.255.255 are designated
as "reserved for private internets", as are IP addresses in the range
10.0.0.0 - 10.255.255.255. Thus, a router or modem might have any IP
address in those ranges. How those IP address are used is determined by
the administrators of each intranet. Thus, such IP address cannot be
whitelisted as you request because they might also be used in ways that
require security.

[WaltS48]

On 3/9/17 8:57 PM, David E. Ross wrote:
> On 3/9/2017 2:48 PM, Pee Jay wrote:
>> When I enter the IP address for my router/modem 10.1.1.1 in the
>> address bar of Firefox (v52.0) I am now getting this message that I
>> have not seen before:-
>>
>> This connection is not secure. Logons entered
>> here could be compromised. Learn more.
>>
>> Apparently this is a new feature available starting in Firefox version
>> 51.
>>
>> I can see that it would be useful for external websites but not for my
>> local router/modem! It is just an annoyance.
>>
>> Is there any way to stop the message when going to 10.1.1.1 ?
>>
> The problem with what you request is that not all routers are at
> 10.1.1.1. Mine is at 192.168.1.1, and my modem is at 192.168.100.1.
>
> IP addresses in the range 192.168.0.0 - 192.168.255.255 are designated
> as "reserved for private internets", as are IP addresses in the range
> 10.0.0.0 - 10.255.255.255. Thus, a router or modem might have any IP
> address in those ranges. How those IP address are used is determined by
> the administrators of each intranet. Thus, such IP address cannot be
> whitelisted as you request because they might also be used in ways that
> require security.
>

So, how does he stop the message from appearing in Firefox?

<https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861#firefox:linux:fx51>


--
Visit Pittsburgh <http://www.visitpittsburgh.com/>
Coexist <https://www.coexist.org/>
National Popular Vote <http://www.nationalpopularvote.com/>
Ubuntu 16.04LTS

[Reed]

There is info about this new "feature" at
https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

What is does not make clear is you can go ahead and type your logon in
even with the message box on the screen.

I just got same message box, and was able to log into my cable modem
by typing in the logon info even though the box was there.

FF 52.0 on Mac OSX Sierra 10.12.3
IP is 10.0.0.1 Xfinity cable modem

also worked on 192.168.0.1 TP Link router

[Alex Vie]

On 10.03.2017 03:11, WaltS48 wrote:

>> IP addresses in the range 192.168.0.0 - 192.168.255.255 are designated
>> as "reserved for private internets", as are IP addresses in the range
>> 10.0.0.0 - 10.255.255.255. Thus, a router or modem might have any IP
>> address in those ranges. How those IP address are used is determined by
>> the administrators of each intranet. Thus, such IP address cannot be
>> whitelisted as you request because they might also be used in ways that
>> require security.

> So, how does he stop the message from appearing in Firefox?

You could try and set:

security.insecure_field_warning.contextual.enabled

in about:config to false.


--
'%d!' % (1337*math.pi/100)

[David E. Ross]

Aha! Another case of Mozilla wanting to protect its users without
really understanding how users work.

[Mark12547]

As far as I can determine, certificates are not issued to reserved
addresses, such as private IP addresses and link-local addresses, such
as these ranges:

10.0.0.0-10.255.255.255,
172.16.0.0-172.31.255.255,
192.168.0.0-192.168.255.255,
fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:fff, and
fe00::-feff:ffff:ffff:ffff:ffff:ffff:ffff:fff.

It seems silly then to issue warnings when communicating directly to one
of the above IP addresses instead of by hostname since there is no
certificate we can get to secure the connection to, say, our cable
modems and routers, and human nature is to start ignoring pop-up
warnings that we have to routinely ignore.

What would be catastrophic would be if Mozilla later decides that we
will not be able to log in at all when communicating to our
("unsecured") router or modem.

This just seems like another example of where some people got an idea
that in theory sounds nice but forgot about the unanticipated
consequences.

[WaltS48]

Have you checked <https://bugzilla.mozilla.org/> to see if a bug has
been filed to disable the warning for those ranges of addresses, or
filed one?

They can't fix unanticipated consequences if they are not aware of them.

[Disaster Master]

On 3/9/2017, 8:45:44 PM, David E. Ross <nob...@nowhere.invalid> wrote:

On 3/9/2017 3:01 PM, Andy Burns wrote:

If I change http to https for my router, the connection is refused.

Sometimes you have to explicitly enable it in the router config.

[Dave Royal]

On Fri, 10 Mar 2017 02:23:00 -0800, Mark12547 wrote:

> As far as I can determine, certificates are not issued to reserved
> addresses, such as private IP addresses and link-local addresses, such
> as these ranges:

> <snip>

> It seems silly then to issue warnings when communicating directly to one
> of the above IP addresses instead of by hostname since there is no
> certificate we can get to secure the connection to, say, our cable
> modems and routers, and human nature is to start ignoring pop-up
> warnings that we have to routinely ignore.
>

You can certainly secure a connection will a device like a modem, router,
or access point with a certificate - I've had several such. The
certificates are in the firmware and you often have to explicitly trust
them in Firefox. The IP address of the device is not relevant. They can
cause problems when the devices get old and the inbuilt certificates are
no longer updated: e.g. expired, unsupported ciphers.

My recent Netgear routers all used http basic authentication, not https.
That's where it displays a popup asking for a password and give a '401
Unauthorised' if you get it wrong. That still works fine in Fx 52.
--
(Remove any numerics from my email address.)

[James Moe]

On 03/09/2017 06:49 PM, Pee Jay wrote:
> Thanks for reply
>
> http://10.1.1.1/ works OK

> https://10.1.1.1/ gives a 404 not found message
>
Two options then:
1. Add a security exception in Firefox for that IP address.
2. Study the manual for the router. Does it offer an option to connect
with HTTPS? Unless the router is particularly old or quite primitive, it
should.

--
James Moe
jmm-list at sohnen-moe dot com
Think.

[David E. Ross]

On 3/10/2017 10:44 AM, James Moe wrote:
> On 03/09/2017 06:49 PM, Pee Jay wrote:
>> Thanks for reply
>>
>> http://10.1.1.1/ works OK
>> https://10.1.1.1/ gives a 404 not found message
>>
> Two options then:
> 1. Add a security exception in Firefox for that IP address.
> 2. Study the manual for the router. Does it offer an option to connect
> with HTTPS? Unless the router is particularly old or quite primitive, it
> should.
>

My Netgear router was purchased as new 24 Dec 15. That means it is 14
months old. It does not allow me to connect via HTTPS.

[Pee Jay]

On Fri, 10 Mar 2017 11:44:43 -0700, James Moe
<jimoeD...@sohnen-moe.com> wrote:

>On 03/09/2017 06:49 PM, Pee Jay wrote:
>> Thanks for reply
>>
>> http://10.1.1.1/ works OK
>> https://10.1.1.1/ gives a 404 not found message
>>
> Two options then:
>1. Add a security exception in Firefox for that IP address.
>2. Study the manual for the router. Does it offer an option to connect
>with HTTPS? Unless the router is particularly old or quite primitive, it
>should.

Thanks for reply

I tried to add security exception to Firefox but got message that
10.1.1.1 already has a certificate! So could not add.

Nothing in router manual or the settings page about using https

BTW the router is MediaAccess TGiiNet-1

[Pee Jay]

Thanks for reply

There is nothing in router config to allow this

MediaAccess TGiiNet-1

[Pee Jay]

On Fri, 10 Mar 2017 08:39:15 -0500, WaltS48 <thali...@REMOVEaol.com>
wrote:

>On 3/10/17 5:23 AM, Mark12547 wrote:
>> As far as I can determine, certificates are not issued to reserved
>> addresses, such as private IP addresses and link-local addresses, such
>> as these ranges:
>>
>> 10.0.0.0-10.255.255.255,
>> 172.16.0.0-172.31.255.255,
>> 192.168.0.0-192.168.255.255,
>> fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:fff, and
>> fe00::-feff:ffff:ffff:ffff:ffff:ffff:ffff:fff.
>>
>> It seems silly then to issue warnings when communicating directly to one
>> of the above IP addresses instead of by hostname since there is no
>> certificate we can get to secure the connection to, say, our cable
>> modems and routers, and human nature is to start ignoring pop-up
>> warnings that we have to routinely ignore.
>>
>> What would be catastrophic would be if Mozilla later decides that we
>> will not be able to log in at all when communicating to our
>> ("unsecured") router or modem.
>>
>> This just seems like another example of where some people got an idea
>> that in theory sounds nice but forgot about the unanticipated
>> consequences.
>
>
>Have you checked <https://bugzilla.mozilla.org/> to see if a bug has
>been filed to disable the warning for those ranges of addresses, or
>filed one?
>
>They can't fix unanticipated consequences if they are not aware of them.

Thanks for reply. I have now been to bugzilla and submitted the
problem.

[David E. Ross]

Your bug #1346401 was closed as being a duplicate of bug #1337246. I
suggest you read the comments for that latter bug at
<https://bugzilla.mozilla.org/show_bug.cgi?id=1337246>. Effectively,
some developers have the same concerns about whitelisting internal IP
addresses that I expressed in an earlier (yesterday) reply to this thread.

[James Moe]

On 03/10/2017 03:21 PM, Pee Jay wrote:
>
> I tried to add security exception to Firefox but got message that
> 10.1.1.1 already has a certificate!
>

That is a contradictory result.
The usual way to discover a SSL certificate is by connecting with
HTTPS. A cert cannot be offered with HTTP. So how could FF think the
site already has a certificate when there is no way to get one? Had you
added an exception for another router, or that IP address, in the past?
A more detailed description of the error message(s) would help.

[James Moe]

On 03/10/2017 02:38 PM, David E. Ross wrote:
>
> My Netgear router was purchased [...]
>
Netgear. Pah! Don't get me started...

[Pee Jay]

Hi James

Never added an exception before.

Full error message is:-

Valid Certificate
This site provides valid, verified identification. There is no
need to add an exception

--
----------------
Pee Jay of Oz
----------------

---
This email has been checked for viruses by AVG.
http://www.avg.com

[James Moe]

On 03/12/2017 09:31 PM, Pee Jay wrote:
>
> Valid Certificate
> This site provides valid, verified identification. There is no
> need to add an exception
>

To recap:
1. You connect to the router with HTTP
2. You receive a page that proclaims an insecure connection with much
scarieness
3. You attempt to add an exception for the un-secure connection (!)
4. You receive the above comment that the certificate is valid

I cannot get past step 2. If the connection is plaintext HTTP, why is
FF complaining about it? How has FF decided that the connection should
be secure?
Hmm. Possibly FF sees a login page? Then the credentials would be sent
in the clear. Still, you should have the option to proceed, and to add
an exception.

[Reed]

On 3/13/17 3:50 PM, James Moe wrote:
> On 03/12/2017 09:31 PM, Pee Jay wrote:
>>
>> Valid Certificate This site provides valid, verified
>> identification. There is no need to add an exception
>>
> To recap: 1. You connect to the router with HTTP 2. You receive a
> page that proclaims an insecure connection with much scarieness 3.
> You attempt to add an exception for the un-secure connection (!) 4.
> You receive the above comment that the certificate is valid
>
> I cannot get past step 2. If the connection is plaintext HTTP, why
> is FF complaining about it? How has FF decided that the connection
> should be secure? Hmm. Possibly FF sees a login page? Then the

> credentials would be sent in the clear. Still, *you should have the
> option to proceed*, and to add an exception.
>

To proceed, simply go ahead and ignore the warning box and type in
your login.
Works for me on both router and modem.

Assuming the box does not completely cover the login area. It only
partially covers mine.

[David E. Ross]

This is the result of a new "feature" that treats all non-HTTPS Web
addresses as risky. See bug #1319119 at
<https://bugzilla.mozilla.org/show_bug.cgi?id=1319119>.

[Arlette Harcourt]

Thank you David, a very good explanation of Firefox wanderings. I am very sad because I started with Ff at #3 and loved that browser until they fired their CEO and made a mess of that poor website.
I use it out of goodwill but if & when it crashes or messes up, I open Chrome and get some real work done!
I wish we could have a referendum and fire that bunch a hare heads, then appoint a new and reliable CEO again.

_______________________________________________
support-firefox mailing list
support...@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-firefox
To unsubscribe, send an email to support-fir...@lists.mozilla.org?subject=unsubscribe