Recently Mozilla developers who are in charge of the Firefox browser project presented a plan for the transition from the Firefox browser to markup all open pages in HTTP with an indicator of insecure connections.
With which in a few words, regardless of which page it is, all those that are not https (do not have an SSL certificate) will be marked as insecure to the browser user.
Firefox applies measures against pages that do not have SSL certificates
So far, the browser has only shown "insecure" all those HTTP pages that contain forms or login fields.
Mozilla believes that since more than 80% of all Internet pages are now on HTTPS, users no longer need a positive indicator for the latter, but a negative indicator for HTTP connections.
Meanwhile in the main competitor of Firefox (Chromium), warning indicator output for the establishment An insecure connection for HTTP-based pages is shown as of the Chrome 68 release.
This move to mark HTTP pages as insecure by Firefox is not new.as this new attempt is a continuation of previous attempts to force the transition to HTTPS in Firefox.
For example, Since the release of Firefox version 51, a security problem indicator has been added to the browser, displayed when non-HTTPS users access pages that contain authentication forms.
Also the people of Firefox chose to start restricting access to the new web APIs, in Firefox 67 for the pages that are open outside the protected context, the output of system notifications through the notifications API is prohibited.
And in Firefox version 68 during unprotected calls, requests to call getUserMedia () are blocked from accessing multimedia data sources (for example, camera and microphone).
The indicator «security.insecure_connection_icon.enabled»Was also added to the about: config settings, which allow you to optionally enable flagging an insecure connection for HTTP.
«For the next desktop version of the browser which is Firefox 70, we intend to display an icon in the 'identity block' (the left side of the URL bar that is used to display security / privacy information) that marks all sites served via HTTP (as well as FTP and certificate errors) as insecure, "said Firefox developer Johann Hofmann.
This new change is planned to be applied in the next release of the Firefox 70 version., which is scheduled to be released to the general public on October 22 of this year.
Other changes for Firefox 70
In addition to what was said, developers also plan for Firefox 70 to remove the button «(i)» from the address bar, limiting itself to the permanent location of the connection security level indicator, which also allows you to assess the status of the code lock modes for movement tracking.
For HTTP, the security issues icon will be shown explicitly, which will also be displayed for FTP and in case of certificate problems:
- The display of the insecure connection indicator is supposed to encourage site owners to switch to HTTPS by default.
- According to statistics from the Firefox telemetry service, the global percentage of page requests over HTTPS is 78.6% (70.3% a year ago, 59.7% two years ago) and 87.6% in the US.
- The community-controlled, non-profit certification center Let Encrypt provided free to all interested parties 106 million certificates covering around 174 million domains (80 million domains were covered a year ago).
This time will the movement of the people of Firefox against HTTP pages be definitive or will they desist and continue applying other preventive measures?
Finally, also nowadays it is not difficult or expensive to implement an SSL certificate on a web page since Let's Encrypt offers free certificates.