PINDROP BLOG

Firefox Starts Marking Insecure Pages That Send Sensitive Data

The fight against the unencrypted web is gaining more and more momentum, with the latest volley coming from Mozilla, which has made a significant change in the latest version of Firefox to give users more information about insecure pages.

In Firefox 51, released Tuesday, Mozilla includes a feature that marks as insecure pages that ask for credentials and send them over plaintext HTTP connections. The change will be visible to users in the address bar, in the form of a lock with a red slash through it. This is in direct contrast to the indicator for a secure page, which is a green lock icon. Previously, Firefox showed a neutral icon to indicate that a page wasn’t using HTTPS.

“Starting today in the latest Firefox, web pages that collect passwords, like an email service or bank, but have not been secured with HTTPS will be more clearly highlighted as potential threats,” Nick Nguyen of Firefox said in a post on the change.

“Up until now, Firefox has used a green lock icon in the URL bar to indicate when a website is secure (using HTTPS) and a neutral indicator (no lock icon), otherwise. In order to more clearly highlight possible security risks, these pages will now be denoted by a grey lock icon with a red strike-through in the URL bar.”

The change doesn’t apply to all pages that send data over plaintext connections, only those that are sending sensitive information, such as usernames and passwords. Google announced a similar change to Chrome back in September, saying that Chrome 56, due at the end of this month, will mark as insecure pages that send private data over insecure connections. Although it’s a cosmetic change, the decision to let users know that a page is sending private data over an unencrypted connection is an important step in the evolution of the web. It gives users more information about the way that pages are handling their private information, and also provides site owners with a motive to encrypt those connections.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed