HTTP insecure warning on OGI website

The developer of Oil and Gas International (OGI), a Texas-based website for petroleum industry news, has filed a complaint on the Mozilla bug tracker, accusing Firefox of wrongly labeling his website as insecure.

His claims, which are entirely unfounded, come after Firefox 52, released two weeks ago, started showing "in-your-face" warnings when attempting to log in via insecure HTTP connections.

The warning message, which appears as a sticky dropdown underneath login fields reads "This connection is not secure. Logins entered here could be compromised. Learn More"

Dev George files complaint with Mozilla

Because the OGI website was, and is still, running on HTTP, the popups scared OGI readers, who most likely complained to OGI's owner, a man that goes by the name of Dev George. In turn, Dev George went on Mozilla's bug tracker to file a complaint with those nosy Firefox devs who had the audacity to warn his site's users without his permission.

Both the Firefox and web development community didn't take kindly to Dev George's criticism of Mozilla. The Mozilla bug was locked for public access to avoid acid reactions, but below is Dev George's original complaint, via a screenshot take by Twitter user Eric Mill. (incomplete mirror here)

Dev George complaint

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

Developer community: Challenge accepted

Developers on the Mozilla bug tracker and Reddit didn't respond kindly to Dev George's brash and misinformed complaint, as they've taken the site's "own security system" and broke it down piece by piece.

Developers quickly realized that the site's operator didn't seem to understand the dangers of handling user data via HTTP, a well-known and well-documented attack vector.

They came to this conclusion because besides the login section, the OGI website was also hosting a payment form and submitting payment card data via HTTP, exposing financial information to potential man-in-the-middle attacks.

Besides the problems with HTTP usage for sensitive user data, developers also discovered that the website was exploitable via an SQL injection flaw.

Furthermore, the website, coded in ASP.NET, appeared to have left an active debugger that was spewing out information about the site's database and internal structure on the production server.

"JESUS CHRIST!!! It's outputting table names, source code, directory structure, table structure," said one Reddit user. "I'm not even a hacker, but I was always under the impression that on production systems, you never present such types of errors."

Even 20-year-old Netscape shows the same error

All in all, Dev George's complaint to Mozilla is unfounded. Just like Firefox, Chrome shows a similar warning when users try to log in via HTTP, albeit Chrome's warning is shown in the address bar, and not near the login form itself.

To point out how baseless Dev George's complaint really was, a Reddit user accessed the OGI website in the Netscape browser and took a screenshot of Netscape showing the very same warning, albeit in a different form.

Netscape warning
Netscape warning (via macgeek417)

"Let this one sink in," a Reddit user noted, "a 20 year old browser is telling users not input any credentials into this website due to lack of encryption."

The most ironic part is that Mozilla together with the EFF and the University of Michigan are the founding members of Let's Encrypt, a service that provides free SSL certificates that help webmasters migrate HTTP websites to HTTPS, a service Dev George might end up implementing following this incident.