How do I get to the settings?
Select "Add-Ons" from the menu. PassSec+ is listed as an extension. An "Options" button is available.
How does PassSec+ check whether HTTPS is available?
PassSec+ sends a request to the website using https instead of http. Based on the status codes we see whether https is available, or not.
Why am I not redirected to the safe mode immediately, if available?
By not redirecting we ensure that you know which websites are insecure by default. If you use another computer without PassSec+, for example on holiday, you will know which sites to be careful about using. Knowing this will help you avoid entering sensitive data such as passwords and payment data, or only doing so after manually changing to https.
Why are some fields sometimes marked in red on a HTTPS Web page, but without showing a warning?
This happens due to the search for phishing websites which is conducted by StartPage in the background. If StartPage is temporary overload it's possible that the search can not be carried out successfully. In this case you should choose the "Google" seach engine in the settings or disable the function temporarily.
How do I manually switch to https?
To do this, click in the address bar of the browser and add "https: //" at the beginning of the line (after the globe icon). Then press the Return / Enter key. If http: // is already there merely add an "s" and press the Return / Enter key.
How does PassSec+ decide what kind of input field is present?
The type of field is determined by mining HTML attributes. The content of other HTML attributes is also checked for known patterns. For example, a field with the title "full name" is identified as a field where personal data should be entered.
What does mixed content (also called Broken HTTPS) mean and is this content 'active' and 'passive'?
Mixed content means that there are elements which are loaded with HTTP, even though the website is encrypted with https (often advertisements). A distinction is made between active and passive mixed content. Active content includes scripts, links, queries and iFrames. Passive content includes audio clips, videos and images. By default, PassSec+ classifies both cases as unsafe, because active content is blocked by default in Firefox. If you want PassSec+ to classify this as critical (e.g. red background), you can change it in the advanced options.
Why is the icon selected randomly?
To prevent untrustworthy website operators from displaying lock icons in their password fields to deceive you into thinking you are safe, a random icon is chosen for you. A scammer would be unlikely to display the correct icon.
Why can’t I click on some elements (e.g. news) on a couple of websites (e.g. GMX or WEB) in secure mode?
The website does not offer https for news and therefore cannot be loaded. In future releases, this problem should be addressed.
Why the does the color of the frame change in some fields (e.g. Lufthansa)?
Some websites override the color of the frame while focusing and the field therefore changes color as soon as you click in the box.
Why is no warning displayed on some pages when I have saved my password (e.g. WEB.DE)?
On websites where the password field is not immediately visible, it is not always possible to detect these fields. In these cases, the warning does not appear automatically, but only after focusing. In this case, the password field is indeed shown with red background and warning triangle but the warning dialog will not appear automatically. However, if you click in the password field, the warning dialog appears and you can see if you can switch to safe mode.
What distinguishes a certificate with Extended Validation (EV) from one without?
A so-called Extended Validation certificate is checked more accurately and therefore more reliable than other certificates. This provides evidence of the trustworthiness of the website operator’s credentials. In your browser you can recognize the presence of this certificate type with the help of the green marker on the address bar. For more information, see Wikipedia for example.
Why is Startpage offered as a search engine, in addition to Google?
Startpage is a privacy-friendly search engine. It does not store IP addresses and does not preserve your search behavior.
You have probably been notified by many websites that they will store cookies. What does that mean for the settings which PassSec+ implements?
What is the matter with unmarked fields?
Either you do not have specified that all fields are to be checked, or PassSec did not recognize the field.
I use a master password in Firefox. Why does the query appear several times?
Due to the programming of PassSec+ the query of the master password appears more often than necessary. At the moment, there is unfortunately no way to prevent this behavior. In future versions we want to improve it and solve the problem.
Why are local input fields marked as unsafe?
Local sites such as router logins are incorrectly marked as unsafe. If you are sure that it really is the address of the router, you can ignore the warning. Since a router is logically not a server, is does not have a https certificate and therefore can only communicate via http. We will resolve this issue in a future version.
How does the phishing detection work?
The phishing detection uses the service from Web Of Trust (WOT) and the correction mechanism of Google or Startpage. Both services provide an assessment of whether the current website is a phishing site.
Are there any sites/combinations with other add-ons that do not work smoothly?
On some websites the secure mode does not work correctly even though it is offered or the website is incorrectly detected as a phishing site. There are also add-ons that interfere with PassSec and may prevent it from working correctly. If you find such a website, we would appreciate your feedback. You can reset the list of websites any time in the settings.
Here is a list of known sites which cause problems:
- http://www.kuechengoetter.de (Secure mode does not work correctly)
If you notice any other websites feel free to contact Kristoffer Braun.
Which of the two search engines (Startpage / Google) should I choose in the settings?
For privacy reasons, we recommend to use Startpage.
I want to always be automatically redirected to https (secure mode), does it work?
To be always automatically redirected to https and therefore in secure mode, we recommend the add-on HTTPS Everywhere. The add-on was developed exactly for this purpose from a civil rights organization in the United States.
Unlike PassSec+ it is available for different browsers.
Is it possible to synchronize the settings with multiple device settings?
The settings of PassSec+ themselves are already synchronized, if you use Firefox on multiple devices with Firefox Sync. Unfortunately, it is currently not possible to synchronize the lists (databases) of the websites where you are using the secure mode.