Firefox And Chrome Will Soon Warn About Login Pages Served Over HTTP

Firefox version 51 will be officially released today--it's actually already available on Mozilla’s FTP servers-- and Chrome 56 should debut in the next few days. As soon as those updates land, both web browsers will start marking as insecure web pages that ask for passwords if they aren’t served over HTTPS.

Firefox 51

A couple of years ago, both the Chrome and Firefox teams realized that web developers need a bigger push to protect users’ sensitive information by switching to secure connections. They came up with a gradual plan to mark non-secure pages with increasingly scarier signs and symbols, both as a way to convince developers that they need to adopt HTTPS while also informing users that their data in transit is not secure.

Until now, Firefox used a green lock icon to show when a website used HTTPS encryption, and showed no icon when a website used HTTP. To more effectively highlight the security risks posed by these connections, Mozilla will display a grey lock icon with a red strike-through to indicate that a password-collecting page isn’t secure.

When users click on the “i” icon (which existed before, too) they will also see the text “Connection is Not Secure” and “Logins entered on this page could be compromised.”

In the future, Mozilla promised to also prompt users with warning messages when trying to input their password into forms served over non-secure HTTP connections, via notifications that say things like “This connection is not secure. Logins entered here could be compromised.”

Mozilla said it plans to implement such warning messages for all HTTP pages, not just ones requesting passwords. HTTPS certificates are now free due largely to Let’s Encrypt, an organization backed by Mozilla, the EFF, and others, that offers free automated digital certificates. Therefore, at least the annual cost of an HTTPS certificate shouldn’t be an obstacle in adopting the more-secure connection type anymore.

Chrome 56

Chrome 56 beta came out on December 8, so the stable build should be out sometime this week, unless the Chrome team skipped a beat and delayed its six-week development cycle. Chrome 56 is supposed to bring similar user experience changes that appear when people visit non-secure pages that collect passwords or credit card information.

Unlike Firefox, Chrome’s implementation doesn’t have a grey icon with a red strike-through. Instead, it just warns the user with the “Not Secure” text next to the web address when a visited page is served over HTTP.

Chrome's implementation of this warning may seem even more aggressive than Firefox's because it’s more direct. It simply tells users not to trust the page, rather than merely implying it with a small icon.

The Chrome team intends to show this warning to all non-HTTP pages in the future and make it more obvious with red font and a red triangle with an exclamation sign in it.

For web developers that still haven’t taken seriously the push for HTTPS, and who are still serving their websites mostly over HTTP, this may be the last call to action that will convince them to make the transition. Large web sites could take many months or even more than a year to make this change.

Therefore, if they wait until Google and Mozilla officially set a deadline for clearly marking all HTTP websites as not secure, they may not be able to switch to HTTPS on time. That could cost them lost reputation with users who will start seeing their websites being marked as not secure.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
4 comments
Comment from the forums
    Your comment
  • WFang
    Anonymous said:
    Firefox 51 and Chrome 56 stable will start warning users when login pages or other web pages that ask for password or credit card information are served over non-secure HTTP connections.

    Firefox And Chrome Will Soon Warn About Login Pages Served Over HTTP : Read more


    From the article: "For web developers that still haven’t taken seriously the push for HTTPS, and who are still serving their websites mostly over HTTP, this may be the last call to action that will convince them to make the transition." and "That could cost them lost reputation with users who will start seeing their websites being marked as not secure."

    Yeah, I've sort of pointed this out to Tom's before via their various feedback avenues, but I find it both ironic and somewhat troubling that Tom's still has NOT moved to an HTTPS format themselves.

    So, how about the article author files a similar note or raise this concern via the internal 'support' mechanisms? It is way overdue that you guys get behind your own preaching and practice what you report!
  • problematiq
    Bout, Dang, Time. Working info-sec I see WAY more clear text usernames/passwords then I care to.
  • WFang
    I see this topic continues to get all the attention it deserves. /s