none
Firefox users here? SSL warning on many Microsoft websites

    Question

  • There is one annoying issue with all Microsoft websites that is bugging me for years already. Every once in a while (it seems to be after not visiting *.microsoft.com for a few hours) I regularly get a SSL warning message in Firefox. It says that the website is posting data from a secure page to an unencrypted page. I can understand that this is work a warning message. But how can Microsoft be so stupid to do that during their login process? Or is there a bug somewhere that hasn't been fixed? This warning doesn't show up in Internet Explorer, but I assume that it's safe enough to give me a similar warning in general.

    I don't know where to turn to with this bug. Nobody seems to be able to reproduce it or nobody even answers. New Firefox profiles (the usual recommendation) don't help. I see this issue on every computer I use, no exceptions. But it's not reproducible at all. I believe you always need to be logged in to Microsoft to see it, at least I am.

    Are there any Firefox users around on the forums? Is anybody else experiencing this issue?

    Here's a bug report for Mozilla that hasn't gained attention yet: https://bugzilla.mozilla.org/show_bug.cgi?id=893344

    All in all, this sad story pretty much adds to my impression that Microsoft and the web won't match. It all feels a lot like eBay: While almost everything works most of the time, it's ugly, slow and just doesn't feel good. The developer recommendations for the new Windows 8 universe are the exact opposite of what I see here.

    Friday, January 17, 2014 7:40 PM

Answers

All replies

  • Hi,

    Are there any Firefox users around on the forums? Is anybody else experiencing this issue?

    I use Firefox almost exclusively and I've never run into anything like this on any Microsoft site.

    EDIT: See below - this statement has turned out to be incorrect.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)



    Friday, January 17, 2014 7:43 PM
    Moderator
  • There it was again. I was searching for TechNet (your signature made me curious), clicked the first Google result, and right on login.live.com this warning popped up again. Even though I had just posted here. Is the NSA interrupting Microsoft SSL connections in Germany, maybe?

    Update: Wow, it's even reproducible by going back in the browser. This time I declined the message and read the current page source. Here it is:

    <html><head><noscript>JavaScript required to sign in<meta http-equiv="Refresh" content="0; URL=https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033"/></noscript><title>Continue</title><script type="text/javascript">function OnBack(){}function OnNext(){}function DoSubmit(){var subt=false;if(!subt){subt=true;document.fmHF.submit();}}</script></head><body onload="javascript:DoSubmit();"><form name="fmHF" id="fmHF" action="http://technet.microsoft.com/de-de/?wa=wsignin1.0" method="post" target="_self"><input type="hidden" name="NAPExp" id="NAPExp" value="Mon, 28-Apr-2014 02:49:52 GMT"><input type="hidden" name="lp" id="lp" value="1Jy1iks6IM2a3o6eegDKAa8Y1K3ctf10zih0e8FOE*4iixOy892XdHKe7wJh!kcLZj7yrg3ERFo5Vfv8N7g*mzxSXjV9UF734Ves*n0sg*p4uCa1rnf641Cmg$$"><input type="hidden" name="lt" id="lt" value="1aUYmC2CMLr!IM7agWk6K3XYmJS0FXwV8pr*bgrNvLBEq0*Ag!Iqf*5lxPXQiN0Q6d*cZpgkfI2WS2x"><input type="hidden" name="NAP" id="NAP" value="%3D2.1%26E%3Deaf%26C%3Dy1CeHhD_U3f_qtt2V0J6o_Xv5897UwLAteo%26W%3D1"><input type="hidden" name="ANON" id="ANON" value="A%3D2B27D34947C7E22FFFF%26E%3Ded7%26W%3D1"><input type="hidden" name="ANONExp" id="ANONExp" value="Wed, 06-Aug-2014 02:49:52 GMT"><input type="hidden" name="t" id="t" value="DAZhAAd9aOyDTkbTlQN7GAlAVr+RLX0sXj2M2JF0v7965pEHA+kMPd/yak3QWAgEb8ZyWHKkG+TRv+wyPZospw5Eecr+w8u8illnPEFbBqWmpK9fmHzh6TEdA2YAAZfkLu3ABWvdM0O4/TR3+zz9GD+OdNxWIvrpxd+TUeHiUefdXeoMGY64PP0cazviB1yF+xP79dozjIgZrIIMbVfTxUkSkzmSPv/NGG9PlYZpN8IPm8oufIsWv6ooafn+zlVRayYd6X8ssEWGQokE3GHoCOZkxV2RrTh/kesZsAv4Xc56gKNqVm1usBvS5gQO1cLmqZk637zXWOC9dsmJQrmBvQ40GIdQCP6qpcGvH+i32lGpOe7SiWRP1whArSC/hsQ="></form></body></html>

    (Any random strings massively shortened for security reasons)

    The current page URL is:

    https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&checkda=1&ct=0000000000&rver=6.0.5276.0&wp=MCLBI&wlcxt=technet%24technet%24technet&wreply=http%3a%2f%2ftechnet.microsoft.com%2fde-de%2f&lc=1033&id=000000&mkt=en-US

    (Again obfuscated slightly)

    The page source is clearly submitting from https to http. Any ideas?

    • Edited by LonelyPixel Friday, January 17, 2014 7:56 PM
    Friday, January 17, 2014 7:49 PM
  • Friday, January 17, 2014 8:52 PM
    Moderator
  • It is on. In case you didn't read my previous post carefully, I declined the security warning. After that, the browser didn't complete the submit of the form (which was already initiated by JavaScript) so I could analyse the page.

    Any more ideas?

    Friday, January 17, 2014 8:54 PM
  • Are you able to reproduce this with other browsers? If not, your issue is simply with your Firefox installation.

    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Friday, January 17, 2014 8:56 PM
    Moderator
  • No, I have never seen this in Internet Explorer (various versions through the years). I haven't been using Google Chrome often enough to know about that.

    It must be an issue with all of my Firefox installations. I've created a new profile a few times through the years, and installed it freshly on 1 or 2 other computers. Same issue everywhere. So I'm having a hard time believing it's only all of my computers and nobody else's.

    Friday, January 17, 2014 8:59 PM
  • Well, we'll see if anyone else drops in to confirm the issue.

    The only other thing I would try is running with addons disabled, but I'd guess you've tried that already.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Friday, January 17, 2014 9:09 PM
    Moderator
  • Wait a minute.....

    I'm completely wrong.

    I do see this from time to time, but I've gotten so accustomed to clicking Continue I don't even notice it any longer.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Friday, January 17, 2014 9:32 PM
    Moderator
  • It dawned on me when I launched into the Gallery and just clicked by reflex. Now I can't get it to appear again, it looks like I'll have to wait a bit.

    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Friday, January 17, 2014 9:39 PM
    Moderator
  • Hmm. I'll post a screenshot the next time I see it. Mine's basically a 'some of this content isn't secure' message (if I remember correctly) with a Continue and Cancel button.

    EDIT: As for flat vs threaded, I only hit the forums while I'm logged in, so I haven't noticed this. They did fix my weird 'I can't unpropose any answer that I've previously proposed' issue after the last update though.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)


    Friday, January 17, 2014 9:57 PM
    Moderator
  • For me, it's a regular popup window. The page begind it remains normally visible, but the entire browser window is blocked by the modal dialog window.

    From my tests today, I found that once I see this dialog, I can decline it and then I stay in the middle of the login process. I can bookmark this URL and retry with that URL later. When opening it again, the dialog appears two times, supposedly because some of the parameters are outdated and another redirection round-trip is initiated by the server. But that is as broken and I get another warning dialog.

    This is what I did with IE10 and Chrome just ago, but no messages appear there. In Firefox, they appear every time using the bookmark. Retried with all add-ons disabled, but it was still there.

    Friday, January 17, 2014 10:00 PM
  • Well, not the bookmarks you normally use. I stopped the login process by declining the security warning, so I could see that intermediate URL. I bookmarked that URL and could use it to repro the dialog. If then I accept all warnings, it brings me to where it brought me when I captured the URL.
    Friday, January 17, 2014 10:09 PM
  • While I restarted Firefox when testing with disabled add-ons, I usually never close Firefox. So it always runs in the same session.

    Friday, January 17, 2014 10:54 PM
  • There is one annoying issue with all Microsoft websites that is bugging me for years already. Every once in a while (it seems to be after not visiting *.microsoft.com for a few hours) I regularly get a SSL warning message in Firefox. It says that the website is posting data from a secure page to an unencrypted page. I can understand that this is work a warning message. But how can Microsoft be so stupid to do that during their login process? Or is there a bug somewhere that hasn't been fixed? This warning doesn't show up in Internet Explorer, but I assume that it's safe enough to give me a similar warning in general.

    I don't know where to turn to with this bug. Nobody seems to be able to reproduce it or nobody even answers. New Firefox profiles (the usual recommendation) don't help. I see this issue on every computer I use, no exceptions. But it's not reproducible at all. I believe you always need to be logged in to Microsoft to see it, at least I am.

    Are there any Firefox users around on the forums? Is anybody else experiencing this issue?

    Here's a bug report for Mozilla that hasn't gained attention yet: https://bugzilla.mozilla.org/show_bug.cgi?id=893344

    All in all, this sad story pretty much adds to my impression that Microsoft and the web won't match. It all feels a lot like eBay: While almost everything works most of the time, it's ugly, slow and just doesn't feel good. The developer recommendations for the new Windows 8 universe are the exact opposite of what I see here.


    Yes firefox does this on other Google or Chrome groups too.
    But we all know firefox...

    Sunday, January 19, 2014 2:28 PM
  • Hi Lonely,

    I am getting the same problem. I am unable to unpropose / unmark answers in the forums I moderate.

    That makes me feeling 'less powerful' :)

    I sent email to fissues and posted in my thread here.


    For every expert, there is an equal and opposite expert. - Becker's Law


    My blog


    My TechNet articles

    Tuesday, January 21, 2014 6:04 PM
    Moderator
  • Beat me to it.

    I get the same dialog every now and again.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Thursday, January 23, 2014 2:52 PM
    Moderator
  • Max, modern federated online login systems, like Live.com should be one, can remember your authentication to them and let you log into other approved apps, like this forum or other Microswoft services, seamlessly. At least that's my experience with Google. Only once in a while the Google authentication page won't just let me pass but instead asks for my password. But most of the time, I don't need to worry about it and can use all apps I'm using it for.

    Well, seamless would be ideal, but this annoying dialog results from a bug in Microsoft's implementation of that authentication service. If I had a choice I would use Google to log into this forum, but Microsoft won't let me do that.

    What is yet unclear is whether this SSL-to-non-SSL forwarding bug is always present and IE and Chrome just don't warn users about this issue like Firefox correctly does, or whether the issue only exists with Firefox clients and the workflow for other browsers is just different in that the critical forwarding situation won't occur. One would need to trace and analyse a client-side communication log in those browsers. I believe Fiddler is supposed to do that, but last time I tried elsewhere it wouldn't do anything.

    Thursday, January 23, 2014 7:09 PM
  • What is yet unclear is whether this SSL-to-non-SSL forwarding bug is always present and IE and Chrome just don't warn users about this issue like Firefox correctly does, or whether the issue only exists with Firefox clients and the workflow for other browsers is just different in that the critical forwarding situation won't occur.

    I had what may be a related symptom trying to use links to KB articles from forum posts after upgrading to W8.1 RTM.  I kept getting into a redirect loop there which eventually asked me to seek help.  Eventually I did but the only suggestion given was to do RIES or Refresh W8.1  Not helpful. 

    Fortunately, this seems to have stopped but I'm not sure if it might be because I interpreted all of the above as a sly way to make me change my password.  (There is even a graphic that was given then which definitely gave me the idea that someone there thought that I was trying to do something wrong.)  Then another approach might be to use Credentials Manager to reset the information that it stores.

    BTW in those cases I wasn't even really interested in using authentication, e.g. just http would have been fine, so I was able to work around them by using File, New Session (or presumably InPrivate Browsing for the same effect).

    One would need to trace and analyse a client-side communication log in those browsers. I believe Fiddler is supposed to do that, but last time I tried elsewhere it wouldn't do anything.

    Not with Fiddler because of its proxy status but you could use a browser trace.  In the case of IE make sure that Clear entries on navigate (an unfortunate default) is not in effect because you want to capture all redirects.  I don't know why I didn't think of trying that myself.  However, the redirect loop was made clear enough by History's View By Order Visited Today.  ; )

     

    FYI



    Robert Aldwinckle
    ---

    Thursday, January 23, 2014 9:38 PM
  • I was just thinking of Fiddler because it can MITM into SSL-encrypted connections, which is required here. But you're right, browser traces are also good. I wasn't aware the IE and Chrome can do that as well by now. So now somebody (incl. me) just needs to invest the time to capture those traces and carefully compare what was served in each browser.
    Thursday, January 23, 2014 9:53 PM
  • What does that mean?
    Friday, January 24, 2014 8:05 AM
  • I don't think this is about cookies. Cookies are always sent to the host that set them, regarding a potential SSL-only flag. There's nothing that could trigger them to become insecure. What does become insecure though is that JavaScript that is submitting a form from https to http. This is also what the Firefox warning is about. In an earlier post, I copied the contents of the HTML page that caused the Firefox popup. It contains the script that triggers that form submit. I'd be interested in what forms are used and automatically submitted along the entire process, and how that compares to other browsers. Does IE get the same forms, with the same scripted submits? If yes, IE would simply be insecure. If no, then what does it get and how does it differ. That would be a bug in Microsoft's login process.
    Friday, January 24, 2014 10:02 PM
  • This is likely a much bigger issue than just the forums, but I submitted a bug request for this.

    Thanks!


    Ed Price, Power BI & SQL Server Customer Program Manager (Blog, Small Basic, Wiki Ninjas, Wiki)

    Answer an interesting question? Create a wiki article about it!

    Saturday, February 1, 2014 1:01 AM
    Owner
  • This is likely a much bigger issue than just the forums, but I submitted a bug request for this.

    Ed, please keep us informed when you think of it. Although I probably notice it after a few days when it's fixed, I'd like to know.
    Monday, February 24, 2014 9:01 PM
  • Is anybody actually working on this? It's still pretty annoying.

    Microsoft websites are among the slowest of all and this focus-stealing, non-back-navigatable, forced, insecure login mechanism is not a good advertisement for using Microsoft web technologies myself.

    Tuesday, December 16, 2014 9:42 AM
  • I'm still seeing this warning every now and again as well (exact same message as I posted almost a year ago).

    I've ditched Firefox since I last posted (I gave up on them once they decided they wanted to be a Chrome clone), but this happens with Pale Moon as well (fork based on FF 24 ESR).

    Hopefully Ed can give us an update on the status of that bug request.


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Tuesday, December 16, 2014 2:21 PM
    Moderator