Firefox 44: special notification if logins are not secure
The most recent Nightly version of the Firefox web browser includes a special notification on websites where login forms are not secured by https to make sure users are aware of the issue.
Not all pages or sites need to be protected by https in my opinion, but there are certain types of sites or pages that should be protected at all times.
This includes online banking services and other services that include financial transactions, sites that store personal information such as photos, videos or messages, and log in pages.
The main reason why these pages and services are more important than others is simple: attackers gain valuable data and information when they snoop on the traffic whereas they may not gain much by snopping on other Internet activities.
All web browsers highlight whether a connection is secure or not as icons in the address bar. Some users colors to make this even clearer to the user.
The most recent version of Firefox Nightly, currently at version 44, ships with a change that notifies Firefox users when pages with password inputs are not protected by https.
The new "insecure" lock icon in the address bar highlights that the connection to the site is not secure and that data that is entered on the site may be captured by third-parties because of that.
The warning is displayed on login pages that use http and not https, even if the form itself uses https. The reason for that is that scripts may still intercept what has been entered on the page before submit is clicked on in the browser.
A click on the icon highlights the same fact as you can see on the screenshot above.
The new feature catches this only if <input type="password">Â fields are used. Sites could avoid the message by changing the input type, but that would have other consequences. Still, it isÂ best to use it as another indicator but not as a sure-fire way of making sure that a login page is properly protected.
You are probably wondering when this will land in release versions of Firefox. Please note that all development feature may change or be removed entirely before they reach the stable version of Firefox.
If things go as planned, Firefox Stable users should see the new notifications on January 26, 2016 when stable versions of Firefox reach version 44.
Now You: Do you pay attention to the use of https on sites?
I was tired of looking up login input fields with the Dev console and ended up coding a simple Greasemonkey script to show me if the fields is safe.
Here is the script if anyone is interested:
I’ve just installed your script. Most valuable. Thanks.
I don’t get it. Why did you need to make this script? If the connection is HTTPS, then it’s safe. If it’s not HTTPS, it’s not safe. Or it isn’t that simple?
The purpose of the script is to render a green or red background of the password box depending if the site is secured or not, it’s only a reminder because I guess one can forget to check the site’s security before entering his password.
Is there any script or extension to use IE’s better approach of coloring the whole address bar based on the site’s security? This makes things easier since it’s quickly noticeable. For example, although both gitgud.io and github.com are valid HTTPS sites, IE7/8/9/10/11 gives a green color to the address bar only in GitHub’s case because it has all the requirements in place (both HTTPS and an extended validation certificate: http://blogs.msdn.com/b/ie/archive/2006/11/07/improving-ssl-extended-validation-ev-ssl-certificates-coming-in-january.aspx).
While not identical, maybe this will do: https://www.ghacks.net/2012/03/07/safe-for-firefox-visualizes-secure-connections-in-the-browser/
In the picture that you posted, what is the icon that seems to represent translation, to the left of the lock icon in the address bar? Is Firefox gonna support translation of web pages just like Chrome?
Yes that is correct. It has been under construction for quite a while: https://www.ghacks.net/2014/05/23/firefoxs-upcoming-page-translation-feature/
“This includes online baking services”
Yeah, that stuff sure needs to be secure!
Yeah those baking services need proper protection.
Remember that the goal is to deprecate HTTP so that people favor HTTPS and HTTP/2, which as the successor to HTTP 1.1 is encrypted by default with at least TLS 1.2 (TLS 1.3 is in development and will get rid of a lot of legacy that is no longer secure).
I don’t really care about HTTPS when browsing a site where I don’t have to enter sensitive information. For those sensitive sites though, it is a good idea to have such an indicator.