Still not using HTTPS? Firefox is about to shame you
Two years after promising to report all HTTP-based web pages as insecure, Mozilla is about to deliver. Soon, whenever you visit one of the shrinking number of sites that doesn’t use a security certificate, the Firefox browser will warn you.
Firefox developer Johann Hofmann announced the news this week:
In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure.
Firefox 70 will ship in October. The change is an attempt to crack down on sites that don’t secure their communications.
Insecure browsers use the hypertext transfer protocol (HTTP), which sends data in clear text. HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the Web server before any HTTP requests are sent.
Hofmann explained that this was part of a broader initiative to simplify the security user-interface in Firefox 70.
Firefox began showing the ‘insecure’ icon in January 2017 but limited it to HTTP pages that collected passwords with login forms. It said at the time that it would expand the initiative to cover all HTTP pages.
Deciding to pull the trigger now is a clear statement that Mozilla believes HTTPS has become the norm. Hofmann cited Firefox’s own telemetry data, which shows that almost 80% of pages loaded in Firefox are HTTPs-based.