The Site Identity Button for my bank changed from Green Lock to Grey Triangle.
I manage my banking account on a daily basis online. The Site Identity Button for this site, today, was grey triangle. Prior to that the green lock had been in place. Information indicates " CONNECTION PARTIALLY ENCRYPTED: Technical Details: Part of this page. . . were not encrypted or the encryption is not strong enough before being transmitted over the internet.
Information sent over the internet without encryption can be seen by other people while it is in transit."
I called the bank to inquire why this should happen. They indicated it is a browser setting.
Why is this happening all of the sudden. I have made no changes to the protection set-ups etc. I checked and Firefox is up-to-date.
Thank you.
Tutte le risposte (4)
hi Pegyk707, there will be a reason why firefox is showing a warning on a https-site. what's the web address of the page in question?
Hi Pegyk707, Let's see if we can find out some more and see what causes this.
Are any of these warnings seen on parts of the banks website that are public and do not need you to login ? If so please provide links. Such pages may not need high security, but at least we will be able to see the problem.
Do not give personal or confidential information, this is a public forum but what is the name and address of the bank and its website ?
Firefox is increasing security in line with the latest guidelines, and there is a possibility that at least parts your Bank's website is not yet fully updated.
I am aware of your other post https://support.mozilla.org/en-US/forums/contributors/711111?last=64439#post-64439
This may require some coordination between Mozilla & your Bank, so knowing which Bank it is is an essential first step.
Background technical information.
https://developer.mozilla.org/en-US/Firefox/Releases/36/ Site_Compatibility There is a document for site owners, and possibly this is relevant:
- https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#RC4_support_has_been_deprecated
Security
RC4 support has been deprecated
Bug 947149 – Connection information claims RC4 is "high grade"
Bug 999544 – RC4 Considered Harmful: Proposal to disable use of RC4 completely
Bug 1088915 – Stop offering RC4 in the first handshakes
Bug 1093595 – Treat SSL3 and RC4 as broken
The RC4 cipher suites are now considered insecure. RC4 is no longer offered in the first TLS handshakes, and the security UI in Firefox no longer calls it "high-grade encryption" but rather would say "encryption is not strong enough". The RC4 support will completely be removed from Mozilla products in the near future. Webmasters should upgrade their servers as soon as possible to utlize stronger cipher suites.
There was also a security blog, again aimed at site owners, which again could be relevant
- Phase 2: Phasing out Certificates with 1024-bit RSA Keys
https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/ . That concludes withFor your convenience, links to the impacted CAs are provided in the list above.
Please check your SSL certificates and replace any with 1024-bit RSA keys, and contact mozilla.dev.security.policy if you have comments or concerns.
Mozilla Security Engineering Team- mozilla.dev.security.policy
https://www.mozilla.org/en-US/about/forums/#dev-security-policy
- mozilla.dev.security.policy
Pegyk707 said
I manage my banking account on a daily basis online. The Site Identity Button for this site, today, was grey triangle. Prior to that the green lock had been in place. Information indicates " CONNECTION PARTIALLY ENCRYPTED: Technical Details: Part of this page. . . were not encrypted or the encryption is not strong enough before being transmitted over the internet. Information sent over the internet without encryption can be seen by other people while it is in transit." I called the bank to inquire why this should happen. They indicated it is a browser setting. Why is this happening all of the sudden. I have made no changes to the protection set-ups etc. I checked and Firefox is up-to-date. Thank you.
thanks, as john 99 already suspected this is no bug in the browser - your site only offers weak TLS_RSA_WITH_RC4_128_SHA encryption making use of the RC4 cipher suite which is considered broken and no longer trustworthy. according to this recent proposal browsers have to stop supporting RC4: https://tools.ietf.org/html/rfc7465
starting with firefox 38, the browser will show the error message and block access to affected sites, so please contact the webmasters of your banka again and inform them about this issue...