Firefox Insecure Password Warning


(Thomas R. Comerci) #1

Hello,

I today started an instance of OpenEMR Cloud Express Plus. I chose this for my small private practice as it is - reportedly - HIPAA compliant.

What concerns me is that when I am prompted form my log-in credentials, Firefox displays the following:

# Insecure password warning in Firefox

Firefox will display a lock icon with red strike-through red strikethrough icon in the address bar when a login page you’re viewing does not have a secure connection. This is to inform you that if you enter your password, it could be stolen by eavesdroppers and attackers.

Starting in Firefox version 52, you will also see a warning message when you click inside the login box to enter a username or password.

Is this normal? I do not get a similar message when using Internet Explorer. Obviously I don’t want my credentials hacked? How do I rectify this . . . assuming it is something that needs to be fixed?

Thanks.

Tom


(Dan Ehrlich) #2

Thomas:

We were just discussing this today.

That message is usually posted for self-signed SSL certs. How did you acquire your SSL cert? Do you remember buying one from a company like Digicert?

Have you gotten this message in Firefox before?

Lmk and I will answer right away.

  • Dan Ehrlich

(Dan Ehrlich) #3

Also please make sure you are entering https://.com in the browser.

Example: https://open-emr.org

Let us know what you see then.


(Thomas R. Comerci) #4

Dan,

Thanks so much for your prompt reply.

I am accessing my instance from my work employer’s (large hospital system) account, so I don’t know how the SSL certificate was acquired. I did not have a similar message on IE here at work (they only offer two browsers) nor on Chrome at home. I will try Firefox on my home computer in the AM. I do know I have never purchased an SSL certificate, assuming I have one! I am not very tech savvy:-).

At work - where I am now - I tried entering 'https://ec2-18-232-145-102.compute-1.amazonaws.com ’ (vs ‘ec2-18-232-145-102.compute-1.amazonaws.com’ alone) into the Firefox browser and the message I get is:

Your connection is not secure

The owner of ec2-18-232-145-102.compute-1.amazonaws.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

ec2-18-232-145-102.compute-1.amazonaws.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for . Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT


(Thomas R. Comerci) #5

I just want to make sure that I do not compromise the security of my account by accessing it from my current place of work (where I am employed as a hospitalist).


(Dan Ehrlich) #6

It’s a self-signed cert error Thomas.

This means your connection is encrypted, but it is open to somewhat less dangerous attacks (still serious though). It’s put on the OpenEMR application to give you some protection out of the box.

You get it when you don’t purchase an SSL Cert from a one of the recognized SSL Cert generators.

How to fix:

  1. Buy the domain name you want, ideally from Amazon via Route53. Can be anything you want.

  2. If you bought it through Amazon, the next part is easy. Go to “Certificate Manager” in AWS and get a free SSL cert for your site.

  3. That should be it. If you bought the domain name from somewhere else, you’ll want to transfer it to AWS most likely. Transferring your domain is free btw but does take a few days.

  4. See this guide: openemr-devops/03-Secure-Domain-Setup.md at master · openemr/openemr-devops · GitHub

  • Stop reading when you get to the part about “Simple Email Service”
  1. Make sure your password is 20+ characters for the main portal page. You can just use 3 or 4 random words to make it easy to remember.

  2. We are going to publish a more in-depth guide on AWS Security later. It will increase AWS costs by about $25/month, but that shouldn’t be a concern for most of our US users

  3. Enable 2FA on your AWS account. You can just Google “2FA AWS account” or something and you’ll find help.

NOTE: Would also recommend you enable 2FA for whatever your personal email account is. Also you should look into a password manager like 1Password, it should only cost a few dollars a month (actually I think it is free). This will make your life easier too. Make sure to protect it with 2FA too.

For background my day job is as an AWS Architect / Security Engineer at Accenture so I like to think I know what I’m talking about. Let us know if you have any other issues.


(Dan Ehrlich) #7

SECOND NOTE: If you bought the domain name you want to use from somewhere else and REALLY want to / need to use that domain, also let us know but that’s a bit more work. Would really recommend just going through Amazon.


(Thomas R. Comerci) #8

Dan,

Thanks so much for the advice/recommendations. I will look into the Route 53 solution you describe in the next several days. I am very new to all of ‘this’. I thought I was pretty computer savvy w/r to basic Windows OS issues, but the whole Amazon AWS ‘thing’ (EC2, Route 53, etc) will take some effort. If you have any insights as to what ares I should focus on with AWS (other than the two mentioned above) - and/or if you can suggest any tutorials/documents/videos that would assist in my knowledge acquisition - please feel free to forward.

I purposely chose the cloud version of OpenEMR so I could access from anywhere, but also because I have no experience programming Linux . . . and I am under the impression that there will be little need for such with a cloud based application for basic OpenEMR use. While one of my goals is to learn more about Linux programming specifically - and programming in general - my time constraints with respect to getting my office up and running really limit my ability to do so right now.

Thanks again for all of your help, and Happy New Year.

Tom