{"id":2948,"date":"2017-03-09T02:14:15","date_gmt":"2017-03-09T10:14:15","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/blog\/?p=2948"},"modified":"2021-01-26T09:13:10","modified_gmt":"2021-01-26T17:13:10","slug":"firefox-52-will-warn-users-for-non-secure-http-login-pages","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/blog\/firefox-52-will-warn-users-for-non-secure-http-login-pages\/","title":{"rendered":"Firefox 52 will warn users for non-secure HTTP Login Pages"},"content":{"rendered":"

Mozilla Firefox joins Google in continuing to call out unencrypted websites<\/h2>\n

If you\u2019ve been keeping up with the browser community\u2019s push for universal encryption, then the moves being made by Google and Mozilla lately haven\u2019t surprised you.<\/p>\n

A quick refresher: starting at the beginning of 2017 the browsers \u2013 Apple Safari, Microsoft Edge, Firefox Mozilla and Google Chrome \u2013 have been actively changing their UI to better inform users about connection security. Specifically, the browsers want the entire internet to be encrypted\u2014SSL for everyone<\/strong>.<\/p>\n

These changes all started with the release of Chrome version 56<\/a> at the end of January. With the release, Chrome became the first browser to switch to a Secure\/Not Secure binary by adding the label to the address bar. In the 56 update, sites with SSL implemented properly would be labeled \u201cSecure<\/strong>.\u201d, Sites without HTTPS that contained login forms or other fields that required users to contribute personal information were labeled as \u201cNot Secure.\u201d<\/p>\n

\"firefox<\/p>\n

Firefox quickly followed suit, changing its security indicators to match what Google had done and beginning to actively mark non-secure login fields as \u201cNot Secure.\u201d<\/p>\n

Now, with the release of Chrome 57 and Firefox 52, the warnings are increasing in severity.<\/p>\n

Per Mozilla\u2019s Peter Dolanjski:<\/strong><\/p>\n

\n

Firefox will show an in-context message when a user clicks into a username or password field on a page that doesn\u2019t use HTTPS.\u00a0 That message will show the same grey lock icon with red strike-through, accompanied by a similar message, \u201cThis connection is not secure. Logins entered here could be compromised.\u201d<\/p>\n<\/blockquote>\n

The new warning will look like this:<\/p>\n

\"firefox<\/p>\n

As Dolanjski writes, this is still just the beginning:<\/strong><\/p>\n

\n

To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don\u2019t use HTTPS, to make clear that they are not secure. As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.<\/p>\n<\/blockquote>\n

This is an important early step towards universal encryption. By starting with only the most high-risk pages, the browsers are giving website owners time to become compliant with the new security standards.<\/p>\n

And it\u2019s not as if these changes were just sprung on users, either. The browser community has been gearing up to do this for some time. It started in earnest back in 2014 when Google announced that HTTPS would become an SEO ranking signal<\/a>. Since then, the browsers have added additional incentives and found other ways to subtly push websites towards encryption.<\/p>\n

Now, in 2017, the browsers have finished asking politely and are taking more decisive actions that are aimed at forcing sites to encrypt.<\/p>\n

So, go ahead and put HTTPS migration on your to-do list. It\u2019s necessary for security and now it\u2019s a requirement to help you avoid browser warnings too. And Firefox 52 is just the beginning. The warnings \u2013 and life without SSL \u2013 will only get more severe moving forward.<\/p>\n

Important Resources to Read<\/h3>\n