User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170303012224 Steps to reproduce: Opened a website for work and the notification "Logins entered here could be compromised" appears. There is no option in the security settings to add a site to a whitelist Actual results: The "login" message always shows up, breaking my workflow Expected results: There should be an option to add sites to a whitelist so the message doesn't show up all the time. The site is used all day for work and re-logging in happens multiple times per hour. The site is http and will not be using https anytime soon. Also no sensitive information is being transmitted so the security risk is very low. The inability to whitelist breaks the workflow of multiple employees.

Hello, I'd like to understand your concerns better. (In reply to grokit@ajinfosearch.com from comment #0) > The "login" message always shows up, breaking my workflow Can your workflow change to skip over the warning? e.g. if you use the down arrows, hit it one extra time? There is a real issue that we're warning about. > Expected results: > > The site is http and will not be using https anytime soon. Why not? That would be the easiest fix. Supporting HTTPS is not hard and is now free thanks to Let's Encrypt. > Also no sensitive information is being transmitted so the security risk is very low. So you're fine with anyone else on the network getting your password?

> Can your workflow change to skip over the warning? e.g. if you use the down arrows, hit it one extra time? There is a real issue that we're warning about. It is a real issue. It's an extra step that everybody must take. We are not talking about computer literate people here. When something changes, it's the end of the world. I can't tell you how many complaints I've gotten about how this breaks things. I've already noticed productivity decrease. > Why not? That would be the easiest fix. Supporting HTTPS is not hard and is now free thanks to Let's Encrypt. I hear you. I agree with you. I think the entire web should communicate securely. Maybe half an hour to install the certs, a minute to change .htaccess, sed everything ot https and you're basically done. But the people who run the site we use every day, all day couldn't care less. My response to asking about switching to https was met with apathy and a wall of red tape. It's not a budget item so it will not be done. That's the reality of this situation. Business people with no clue are in charge and it's up to me to work around the issues. Hence this bug report / feature request. > So you're fine with anyone else on the network getting your password? What kind of a question is that? Comes off snooty and condescending. Nothing is changing anyway. It's always been open to attack. The site will not be https and it's not my site so there is nothing I can do about it. The information being retrieved is taken from public records so it's not critical to keep secret. All I'm asking for is a way to whitelist a site so the message doesn't pop up. I understand the security implications.

He is right you know. Developer here and I'm turning notification off because you decided that there won't be any whitelisting. I don't see any developer setting their environment to https for every site that they work on and it's run in a VM. And because you are being stubborn, they might miss the notification where it really matters. Also just look at the web for workarounds any website that has no intention of switching to https is having posted a how to disable that annoyance. IMO this should be dealt just like the certificates are being dealt with.

Although their UI will be different, the next update to Chrome will also start warning on these sites. Their version puts the text "NOT SECURE" near the URL rather than on the form itself so it might be less disruptive. We're unlikely to put work into implementing this given other priorities and our experience with how few users actually use the various "per site" settings we already have. As noted in comment 3 people who are annoyed and know what they are doing can disable these warnings globally.