The war on insecure webpages has begun, and Mozilla fired the first shot.
Recently, Mozilla rolled out Firefox 51 to its mainstream user base. With the new release comes an insecure warning on any page that offers a login form over an HTTP connection instead of HTTPS. Chrome plans to follow suit with version 56, expected to be released to mainstream users on Tuesday, January 31, as Ars Technica first pointed out.
HTTP uses an open, unencrypted connection between you and the website you’re visiting that could be intercepted by anyone monitoring traffic between you and the site. For that reason, it’s never a good idea to share login or credit card information over an HTTP connection. Most major sites offer the encrypted version—HTTPS—but every now and then you’ll come across a site that doesn’t.
In Firefox, users who’ve recently updated their browser will see a lock icon with a red strike through it next to an information icon in their URL address bar. These icons appear together when a user lands on a login page with an insecure HTTP connection. If you click on the icons you’ll see a plain-language explanation that the site is not secure, and a warning that any logins on the page could be compromised.
Chrome, meanwhile, will take a slightly different approach. Instead of a red strike through, Google’s browser will display an information icon along with the message “Not secure.”
Chrome will only display the warning while the login fields are visible. If you land on a site that requires you to click on a drop-down menu to show the login fields, for example, the “Not secure” message won’t show up until you reveal the login text entry boxes.
Mozilla announced in January 2016 it was working on an HTTP security warning, which first appeared in the developer edition of Firefox 46.
Google announced its plans to display a warning for insecure logins and credit card fields last September. The company also said this would only be the first step in a “long-term plan to mark all HTTP sites as non-secure.”
The impact on you at home: Most major sites and services already use HTTPS for login connections, but every now and then you’ll come across a site that uses the insecure HTTP. When you do see an insecure login site, try typing
https:// before the website name and hit Enter to see if that changes anything. Some sites do offer HTTPS connections but not by default—using the HTTPS Everywhere browser extension would automatically check this for you. If there isn’t an HTTP option on the site you’re visiting, you’ll have to weigh the risks of logging in over an insecure connection versus not using the site at all.