Mozilla Firefox joins Google in continuing to call out unencrypted websites
If you’ve been keeping up with the browser community’s push for universal encryption, then the moves being made by Google and Mozilla lately haven’t surprised you.
A quick refresher: starting at the beginning of 2017 the browsers – Apple Safari, Microsoft Edge, Firefox Mozilla and Google Chrome – have been actively changing their UI to better inform users about connection security. Specifically, the browsers want the entire internet to be encrypted—SSL for everyone.
These changes all started with the release of Chrome version 56 at the end of January. With the release, Chrome became the first browser to switch to a Secure/Not Secure binary by adding the label to the address bar. In the 56 update, sites with SSL implemented properly would be labeled “Secure.”, Sites without HTTPS that contained login forms or other fields that required users to contribute personal information were labeled as “Not Secure.”
Firefox quickly followed suit, changing its security indicators to match what Google had done and beginning to actively mark non-secure login fields as “Not Secure.”
Now, with the release of Chrome 57 and Firefox 52, the warnings are increasing in severity.
Per Mozilla’s Peter Dolanjski:
Firefox will show an in-context message when a user clicks into a username or password field on a page that doesn’t use HTTPS. That message will show the same grey lock icon with red strike-through, accompanied by a similar message, “This connection is not secure. Logins entered here could be compromised.”
The new warning will look like this:
As Dolanjski writes, this is still just the beginning:
To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure. As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.
This is an important early step towards universal encryption. By starting with only the most high-risk pages, the browsers are giving website owners time to become compliant with the new security standards.
And it’s not as if these changes were just sprung on users, either. The browser community has been gearing up to do this for some time. It started in earnest back in 2014 when Google announced that HTTPS would become an SEO ranking signal. Since then, the browsers have added additional incentives and found other ways to subtly push websites towards encryption.
Now, in 2017, the browsers have finished asking politely and are taking more decisive actions that are aimed at forcing sites to encrypt.
So, go ahead and put HTTPS migration on your to-do list. It’s necessary for security and now it’s a requirement to help you avoid browser warnings too. And Firefox 52 is just the beginning. The warnings – and life without SSL – will only get more severe moving forward.
Important Resources to Read