Starting with Firefox 70, set to be released in October this year, Mozilla plans to show a permanent “not secure” indicator for all HTTP websites in Firefox.
The decision was formally announced today by Mozilla engineers.
Mozilla now follows in Google’s steps, who has been showing “not secure” labels on all HTTP websites since Chrome 68, released last year.
Until now, Mozilla was only showing “not secure” indicators on HTTP pages that contained forms or login fields.
80% of all internet pages are served via HTTPS
But today, Mozilla argued that since more than 80% of all internet pages are now served via HTTPS, users don’t need a positive indicator for HTTPS anymore, but a negative one for HTTP connections.
“In desktop Firefox 70, we intend to show an icon in the ‘identity block’ (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure,” said Firefox Developer Johann Hofmann.
This change didn’t come out of the blue, though. Mozilla began working on it since December 2017, when it added flags in the Firefox about:config section.
Those flags are still present in the current stable version of Firefox, and users can enable them right now and preview how these indicators will look starting this fall.
The flags are:
security.insecure_connection_icon.enabled – show a broken lock on HTTP sites
security.insecure_connection_text.enabled – show the “not secure” text on HTTP sites
security.insecure_connection_icon.pbmode.enabled – show a broken lock on HTTP sites in Private Browsing
security.insecure_connection_text.pbmode.enabled – show the “not secure” text on HTTP sites in Private Browsing
The end result is very similar to how Chrome currently marks all HTTP pages (see image below).
More browser coverage: