8 Replies Latest reply: Jul 21, 2013 7:32 AM by gwgoldb
gwgoldb Level 1 Level 1 (10 points)

Ever since approximately the mid-June Apple Java update the Verizon Webmail website will not make a secure connection unless I agree to send my password unencrypted. I can get it to work only if I delete the verizon.net cookies. This is true under Safari 5.1.9 and Firefox 21.

 

Does anyone have any idea how to fix this? A week ago Verizon tech support said there's nothing wrong on their end.


MacBook Pro, Mac OS X (10.6.8)
  • WZZZ Level 6 Level 6 (12,775 points)

    I'm still seeing the Verizon web mail login page as https.

     

    https://www.verizon.net/ssowebapp/VOLPortalLogin?TARGET=https://www.verizon.net/ ssowebapp/protected/EmailLoginHelper

     

    What about HTTPS Everywhere?

     

    https://www.eff.org/https-everywhere

     

    You should update to Firefox 22, the 21 is now not secure.

  • gwgoldb Level 1 Level 1 (10 points)

    But when I want to log in it wants to send my password non-securely.

     

    I mentioned FF 21 because that's what I tested it on. I automatically update to

    the newest FF versions and now have FF 22 installed.

  • WZZZ Level 6 Level 6 (12,775 points)

    It's staying https all the way through login for me. Are you allowing all Verizon cookies? And how are you seeing that it's not sending your pword encrypted?

  • gwgoldb Level 1 Level 1 (10 points)

    Yes, I allow all cookies.

     

    I tried it with FF 22. As before it works the first time perhaps because there is no verizon.net cookie.

    When I navigated away from the page and then back I got the usual pop-up with a big question mark to the left:

     

    Security Warning

    Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

     

     

    Are you sure you want to continue sending this information?

  • WZZZ Level 6 Level 6 (12,775 points)

    I may be going a bit off topic with this, but I don't get those warnings any longer and I'm seeing they've been disabled relatively recently in Firefox. So don't know why you're seeing that one. Even though all my settings in about:config for security.warn are at True, I'm apparently not getting any of those. I may have to check further about that, though.

     

    https://bugzilla.mozilla.org/show_bug.cgi?id=799009

     

    This patch removes the following prompts:

     

    1. Warning, you are about to enter a secure site

    2. Warning, you are about to leave a secure site

    3. Warning, you are about to submit a form to an insecure site, when you are already on an insecure site.

    4. Warning, you are viewing a site with mixed content.

    And further on

     

    We already show the mixed content indicator in the address bar: globe vs. lock icon.

    Also,

    Support for those warning prefs has been removed.

     

        bug 799009 - Remove support for obsolete SSL-related warning prompts

     

    (please do not comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)

     

    Warning, you are about to enter a secure site

    Warning, you are about to leave a secure site

    Warning, you are about to submit a form to an insecure site, when you are already on an insecure site.

    Warning, you are viewing a site with mixed content.

    http://support.mozilla.org/en-US/questions/953321

     

    So unless I'm reading the Buzilla Bug report wrong, I don't understand why you're getting that warning. It seems they are suggesting relying on the lock icon, not the popup, to be certain you're on a fully encyrpted connection.

     

    The Verizon webmail link I gave above is https, but comes with this message.

     

    Screen shot 2013-07-10 at 12.21.43 PM.png

     

    Then, upon submitting the user and password, it switches to this. So I'm assuming that data is fully encrypted, not sent in the clear.

     

    Screen shot 2013-07-10 at 12.22.41 PM.png

     

    That only lasts a second or two, and when login is complete it immediately switches back to the first partially encrypted globe icon.

     

    I think you should look for the actual globe vs. lock icons at the different stages of logging in, as I have. It may be the popup you're getting for mixed security content refers to the post login session, not the actually transmission of the password.

     

    In any case, I'm not getting that popup.

  • WZZZ Level 6 Level 6 (12,775 points)

    OK just found this

     

    Firefox 19 seems to have dropped the warnings about insecure HTTP(S) contents, i.e. warn about submitting form data over HTTP (no S!), mixed secure and insecure contents, leaving a HTTPS page and so on. How can I get these warnings back? Or are there now different warning mechanisms (e.g. showing an insecure form submission in adance, that means at the time of filling it in)?

     

    Further down that page:

    firefox will now allow you to block active mixed content though - enter about:config into the firefox location bar (confirm the info message in case it shows up) & search for the preference named security.mixed_content.block_active_content. double-click it and change its value to true.

    http://support.mozilla.org/en-US/questions/954070

     

    I just changed that value to true, and I'm still not getting the mixed security popup at any point in the sequence of logging in to Verizon web mail. In about:config

     

    Perhaps you want to check how you have that set in about:config. This is mine, now changed from false to true.

     

    Screen shot 2013-07-10 at 12.41.21 PM.png

  • gwgoldb Level 1 Level 1 (10 points)

    I almost always used Safari to access Verizon Webmail. I get a slightly different message from Safari:

     

    This is a non-secure form.

    This form will be sent in a way that is not secure. Are you sure you want to send it?

     

    What Firefox does is of no interest to me unless it works there and not in Safari, thus indicating a browser-specific problem.

  • gwgoldb Level 1 Level 1 (10 points)

    I finally took it to an Apple Store last night. I couldn't replicate the problem in the Store's wi-fi network, leading my Genius to suggest it was a wi-fi issue after determining that I'd not made any hardware changes recently.

     

    Indeed, turning my router off and back on again solved the problem!