If it wants a password and doesn’t use HTTPS, Mozilla will breathe fire.
Shoddy sites will have fewer places to hide with Firefox joining Chrome in badging cleartext sites that collect personal information as insecure.
Mozilla’s labels won’t be as prominent as Google’s, introduced this year, which places the red letter label in the address bar. Firefox will instead tuck its warning in the same spot behind a crossed-out lock that reads “not secure” when clicked.
Firefox product veep Nick Nguyen says the move follows the company’s many musings on the benefits of HTTPS.
“Starting today in the latest Firefox, web pages that collect passwords, like an email service or bank, but have not been secured with HTTPS will be more clearly highlighted as potential threats,” Nguyen says.
“Up until now, Firefox has used a green lock icon in the URL bar to indicate when a website is secure (using HTTPS) and a neutral indicator (no lock icon), otherwise.
“In order to more clearly highlight possible security risks, these pages will now be denoted by a grey lock icon with a red strike-through in the URL bar.”
The insecurity stickers will expand in future releases with a floating box triggered when users click password entry fields on cleartext sites that reads “logins entered here could be compromised”.
A further development will expand the struck-out lock icon and slap it on all cleartext sites regardless of whether they collect passwords or credit cards.
“To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure,” Firefox staffers Tanvi Vyas and Peter Dolanjski wrote.
“As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.”
Firefox on insecure sites.
Browser barons are increasingly exercising their power to highlight weak security on web sites. The push to end cleartext on sensitive sites was greased by the widely-supported Let’s Encrypt initiative that offered free SSL certificates to sites and the means to easily implement it.
In October, Google announced it would be forcing sites to enforce proper certificate security within a year.
The Alphabet subsidiary said it would flag sites with unauthorised certificates and label those that do not subscribe to the initiative as untrusted in a move that will help combat phishing.