Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

On my Mac and PC, 'connection is not secure' lock appears intermittently on my own site, refresh the page, it goes away?

more options

On my site, www.raildig.com, the 'connection is not secure' lock appears intermittently. This happens on my Mac and PC, and I'm not running anti-virus software on the Mac (High Sierra). If I refresh the page, the lock sometimes goes away, refresh again, it may come back. Seems very random.

This site has no login section for users. Is there a tool to track down why I'm seeing this 'connection is not secure' lock?

Thanks, John

On my site, www.raildig.com, the 'connection is not secure' lock appears intermittently. This happens on my Mac and PC, and I'm not running anti-virus software on the Mac (High Sierra). If I refresh the page, the lock sometimes goes away, refresh again, it may come back. Seems very random. This site has no login section for users. Is there a tool to track down why I'm seeing this 'connection is not secure' lock? Thanks, John

All Replies (13)

more options

This is likely caused by the presence of mixed content. I see a lot of messages in the Web Console about "Loading mixed (insecure) display content" if I use a HTTPS connection and not an open HTTP connection.

Modified by cor-el

more options

I would understand if this was a secure site, but from the page you linked to:

When an HTTPS page has HTTP content, we call that content mixed

My homepage, my site, is not a secure site, there was never a need to be. Seems FF is applying secure site rules to a non-secure (by design) site.

Also the fact that upon refreshing the homepage, the lock with a red line over it sometimes appears, sometimes doesn't appear is strange too. This really does seem to be an issue with FF.

Modified by JPC60

more options

Well there go a few hours that I won't get back. This 'connection is not secure' lock appearing intermittently has become really irritating with no end in sight.

Now the warning lock read, 'Logins entered on this page could be compromised', except there are no logins on my pages, any of them.

I've gone through this as much as I'm able to, and though free and a great browser otherwise, this FF behavior is really annoying and a potential problem is users avoid my site as a result.

If FF can detect this phantom problem it sees, might be nice it it spelled out what it thinks the problem is.

more options

You can remove the warning in the location bar by setting this pref to false on the about:config page.

  • security.insecure_password.ui.enabled = false

You can disable the warning that opens when you type in a name/password field by setting this pref to false.

  • security.insecure_field_warning.contextual.enabled = false

You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.

more options

Thank you, I know I can do this but I was trying to determine why FF was doing this 'connection is not secure' in the first place. My concern isn't that I see it, as much as visitors to my site seeing it and being put off as a result.

Unless I'm wrong, and that's very possible, this looks like FF is overly aggressive in warning people about a problem that doesn't exist. Again if I'm wrong I'd be more than happy to fix whatever the problem is.

Again here's the site: http://www.raildig.com/ And the warning FF gives: Logins entered on this page could be compromised

Where are the logins? Seems like a mistake from FF, doesn't it?

Modified by JPC60

more options

It's not you, it's Twitter. But it's partly you.

I run the NoScript extension, which blocks scripts from http://twitter.com by default. (Firefox's Tracking Protection feature also blocks it.) If I make an exception and allow the script to load, it triggers the "slashed lock" icon. (See attached screenshot.)

Suggested workaround: change all of your Facebook and Twitter <script src=""> URLs to HTTPS links to bypass this issue. I can't test that on your site, but I think it should work. And it's much better for your users than having Firefox potentially pass their social site credentials and/or cookies over an insecure connection.

more options

Actually, that turns out to be a bit difficult to find. In this script (I have broken the lines to make it post-able):

<script>!function(d,s,id){
  var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';
  if(!d.getElementById(id)){js=d.createElement(s);
    js.id=id;
    js.src=p+"://platform.twitter.com/widgets.js";
    fjs.parentNode.insertBefore(js,fjs);
  }
}(document,"script","twitter-wjs");</script>

Try:

<script>!function(d,s,id){
  var js,fjs=d.getElementsByTagName(s)[0],p='https';
  if(!d.getElementById(id)){js=d.createElement(s);
    js.id=id;
    js.src=p+"://platform.twitter.com/widgets.js";
    fjs.parentNode.insertBefore(js,fjs);
  }
}(document,"script","twitter-wjs");</script>
more options

Holy Moly... this is incredibly nice of you! I will try this tonight when I get in but I just wanted to quickly say thank you!

more options

I did use your correction suggestions with FB and Twitter. It worked with FB, but not Twitter. Just for the heck of it I tried a few Twitter feed plugins, all resulted in the red slash through the lock warning.

I've decided just to pull the Twitter feed from my site and leave a simple Twitter logo link to my Twitter page. Hey, it's a 50% success rate with my social media feeds!

Thanks again very much for the help, and I do wish Twitter would have played nicer, but that warning on my site just isn't worth it for a Twitter feed.

more options

Hi John, if you decide to re-add the Twitter widget, see whether they have an option to force HTTPS instead of using the same protocol as your page. Or paste my code example.

more options

I actually did paste your example code, but got the slashed lock again. Very strange. Poking around online I see this isn't a rare occurrence. You'd think Twitter would have this sort of thing addressed.

more options

Wouldn't it work if you leave out the protocol and only use the "//" ? Normally that would make a browser use the same protocol as the main page or are there browsers that do not support this?

more options

cor-el said

Wouldn't it work if you leave out the protocol and only use the "//" ? Normally that would make a browser use the same protocol as the main page or are there browsers that do not support this?

I think we need to force HTTPS to prevent Firefox displaying the insecure login form warning icon.