Two years after promising to report all HTTP-based web pages as insecure, Mozilla is about to deliver. Soon, whenever you visit one of the shrinking number of sites that doesn’t use a security certificate, the Firefox browser will warn you.
Firefox developer Johann Hofmann announced the news this week:
In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure.
Firefox 70 will ship in October. The change is an attempt to crack down on browsers that don’t secure their communications.
Insecure browsers use the hypertext transfer protocol (HTTP), which sends data in clear text. HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the Web server before any HTTP requests are sent.
Hofmann explained that this was part of a broader initiative to simplify the security user-interface in Firefox 70.
Firefox began showing the ‘insecure’ icon in January 2017 but limited it to HTTP pages that collected passwords with login forms. It said at the time that it would expand the initiative to cover all HTTP pages.
Deciding to pull the trigger now is a clear statement that Mozilla believes HTTPS has become the norm. Hofmann cited Firefox’s own telemetry data, which shows that almost 80% of pages loaded in Firefox are HTTPs-based.
Other companies have been more aggressive in their attempt to stamp out HTTP. Google has gradually cracked down on sites not using TLS. In 2015, it began rewarding HTTPS websites with better search rankings. Then, in 2017, it began labelling transactional non-HTTPS sites as ‘Not Secure’, expanding this scheme last year to label any non-HTTPS site the same way. Then, when it released Chrome 69 in September 2018, it removed the ‘secure’ label from HTTPS sites, signalling that they were now mainstream as far as Google was concerned.
Our tests showed that as of this week, Safari marks non-HTTPS pages as insecure, but the Edge browser doesn’t, instead opting only to show HTTPS sites as secure.
TLS protects your HTTP traffic from eavesdropping and manipulation as it moves over a network, between you and the site you’re using. It doesn’t say anything about the security or legitimacy of the site itself though.
Unfortunately, the padlock symbol that your browser displays when you’re using HTTPS can fool users into thinking it does. Many assume (not least because security professionals spent years telling them to) that the padlock means the website they’re looking at must be the real thing, rather than a fake.
the FBI recently warned that phishing sites are preying on this misunderstanding and using TLS to appear more legitimate to victims.