Browsers highlighting insecure login forms
If your site has a login form make sure you are using HTTPS as the major browsers are starting to warn users about lack of encryption.
If your website loads a form using type=”password” the browsers assume this means you have some form of login in place. Chrome and Firefox have started highlighting to users where these forms are insecure.
Chrome no longer displays padlock
We have previously posted how Chrome is dropping the minor errors padlock symbol and replacing this with the standard HTTP image. Any website that contains a login form and the form posts to a http page the padlock will no longer shown. Make sure your login form action posts to https.
Firefox to mark login forms as insecure
Firefox has taken it a step further. From Firefox 44 any login form that is shown over http or posts to http will have an affirmatively insecure image presented to the user.
UK Business Forums is a place I regularly hang out. As with many forums the login is not loaded over https.
But my form posts to https is that OK?
We get asked this quite a lot. The form is hosted on standard http but posts to https. This is still insecure as there is the potential to compromise the http page and redirect the login form without the user seeing any errors. This is why Chrome and Firefox have started highlighting to users that this is unsafe.
How to secure your login form
- Always use an SSL/TLS Certificate on your site for login pages
- Use an EV Certificate on Login pages for additional security against phishing
- Consider Switching your site to 100% HTTPS
- Use htaccess to force your login pages to always be https