Firefox 44: special notification if logins are not secure - gHacks Tech News

Firefox 44: special notification if logins are not secure

The most recent Nightly version of the Firefox web browser includes a special notification on websites where login forms are not secured by https to make sure users are aware of the issue.

Not all pages or sites need to be protected by https in my opinion, but there are certain types of sites or pages that should be protected at all times.

This includes online banking services and other services that include financial transactions, sites that store personal information such as photos, videos or messages, and log in pages.

The main reason why these pages and services are more important than others is simple: attackers gain valuable data and information when they snoop on the traffic whereas they may not gain much by snopping on other Internet activities.

All web browsers highlight whether a connection is secure or not as icons in the address bar. Some users colors to make this even clearer to the user.

The most recent version of Firefox Nightly, currently at version 44, ships with a change that notifies Firefox users when pages with password inputs are not protected by https.

firefox warning login page no https

The new "insecure" lock icon in the address bar highlights that the connection to the site is not secure and that data that is entered on the site may be captured by third-parties because of that.

The warning is displayed on login pages that use http and not https, even if the form itself uses https. The reason for that is that scripts may still intercept what has been entered on the page before submit is clicked on in the browser.

A click on the icon highlights the same fact as you can see on the screenshot above.

The new feature catches this only if <input type="password">  fields are used. Sites could avoid the message by changing the input type, but that would have other consequences. Still, it is  best to use it as another indicator but not as a sure-fire way of making sure that a login page is properly protected.

You are probably wondering when this will land in release versions of Firefox. Please note that all development feature may change or be removed entirely before they reach the stable version of Firefox.

If things go as planned, Firefox Stable users should see the new notifications on January 26, 2016 when stable versions of Firefox reach version 44.

Now You: Do you pay attention to the use of https on sites?

Summary
Firefox 44: special notification if logins are not secure
Article Name
Firefox 44: special notification if logins are not secure
Description
Firefox 44 will notify users if a login page is not properly secured by https.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Taoufix said on October 21, 2015 at 4:38 pm
      Reply

      Finally!

      I was tired of looking up login input fields with the Dev console and ended up coding a simple Greasemonkey script to show me if the fields is safe.

      Here is the script if anyone is interested:
      https://github.com/taoufix/user-scripts/blob/master/unsecure-login.user.js

      1. Tom Hawack said on October 21, 2015 at 6:56 pm
        Reply

        I’ve just installed your script. Most valuable. Thanks.

      2. not_black said on October 21, 2015 at 8:28 pm
        Reply

        I don’t get it. Why did you need to make this script? If the connection is HTTPS, then it’s safe. If it’s not HTTPS, it’s not safe. Or it isn’t that simple?

        1. Tom Hawack said on October 21, 2015 at 8:46 pm
          Reply

          The purpose of the script is to render a green or red background of the password box depending if the site is secured or not, it’s only a reminder because I guess one can forget to check the site’s security before entering his password.

        2. anon said on October 21, 2015 at 11:08 pm
          Reply

          Is there any script or extension to use IE’s better approach of coloring the whole address bar based on the site’s security? This makes things easier since it’s quickly noticeable. For example, although both gitgud.io and github.com are valid HTTPS sites, IE7/8/9/10/11 gives a green color to the address bar only in GitHub’s case because it has all the requirements in place (both HTTPS and an extended validation certificate: http://blogs.msdn.com/b/ie/archive/2006/11/07/improving-ssl-extended-validation-ev-ssl-certificates-coming-in-january.aspx).

        3. Martin Brinkmann said on October 22, 2015 at 7:54 am
          Reply
    2. A100 said on October 21, 2015 at 5:19 pm
      Reply

      In the picture that you posted, what is the icon that seems to represent translation, to the left of the lock icon in the address bar? Is Firefox gonna support translation of web pages just like Chrome?

      1. Martin Brinkmann said on October 21, 2015 at 5:33 pm
        Reply

        Yes that is correct. It has been under construction for quite a while: https://www.ghacks.net/2014/05/23/firefoxs-upcoming-page-translation-feature/

    3. nik said on October 21, 2015 at 5:51 pm
      Reply

      “This includes online baking services”
      Yeah, that stuff sure needs to be secure!

      1. Martin Brinkmann said on October 21, 2015 at 5:53 pm
        Reply

        Yeah those baking services need proper protection.

    4. anon said on October 21, 2015 at 7:09 pm
      Reply

      Remember that the goal is to deprecate HTTP so that people favor HTTPS and HTTP/2, which as the successor to HTTP 1.1 is encrypted by default with at least TLS 1.2 (TLS 1.3 is in development and will get rid of a lot of legacy that is no longer secure).

      https://httpwg.github.io/
      https://http2.github.io/
      https://tools.ietf.org/html/rfc7540
      https://en.wikipedia.org/wiki/HTTP/2

      https://datatracker.ietf.org/wg/tls/documents/
      https://tlswg.github.io/tls13-spec/
      https://tools.ietf.org/html/draft-ietf-tls-tls13-10
      https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29

    5. Nebulus said on October 21, 2015 at 10:59 pm
      Reply

      I don’t really care about HTTPS when browsing a site where I don’t have to enter sensitive information. For those sensitive sites though, it is a good idea to have such an indicator.

    Leave a Reply