Firefox to mark all HTTP sites as Not Secure
Firefox will soon mark any site that still uses HTTP and not HTTPS for the connection as not secure in the browser's address bar.
Latest Let's Encrypt statistics show that more than 78% of all page loads in Firefox use HTTPS, an increase of about 6% when compared to July 2018. That leaves less than 22% of all connections and these will be marked by Firefox as not secure once Firefox 70 launches in October 2019.
The push to making HTTPS the default on the web began in earnest when companies like Mozilla and especially Google started to campaign for the adoption.
Google started to display the not secure indicator in Chrome if a connection used HTTP in 2018, Mozilla Firefox users could flip some switches in the browser's configuration for the same effect in 2018.
These configuration flags are present in the stable version of Firefox, and Firefox users may change their states to get the not secure indicator right now in the stable version of the browser.
All that is required is to set security.insecure_connection_icon.enabled to True on about:config to show the not secure indicator in the Firefox address bar for normal and private browsing connections. If you just want to show it for private browsing connections, set security.insecure_connection_icon.pbmode.enabled to True instead.
Mozilla added not secure indicators to Firefox in 2016 if HTTP pages had login forms as this meant that sensitive information, e.g. a user's password, was transmitted in the clear.
Firefox 70 Stable will display any HTTP site connection as Not Secure by default. Firefox Nightly users, the browser is already at version 70 currently, see this already when they connect to sites that use HTTP for the connection.
Mozilla began work on the feature three years ago. Meta Bug 1310842 highlights the organization's intention to "show a negative indicator for HTTP and no indicator for HTTPS". Discussion is still ongoing at this point.
Firefox 70 will be released on October 23, 2019 to the release channel according to the schedule.
Closing Words
HTTPS adoption is still on the rise and will be in the coming years. Not secure indicators in browsers push it even more and while Firefox showing "not secure" label won't have such a major effect as Chrome's had and has due to its share of the market, it will contribute nevertheless.
Now You: what do you do when a site still uses HTTP?
http soon to the killed due to millions want to https is just a realest. While for me, i want to retired from the internet due to https.
remind me, HTTPS is the Consumerist of the internets.
How much peoples too much paying for the security is important, how the peoples to blessing the privacy & security, many other protocols than https soon debunked and forget them is the worst.
And well this is the age of privacy & security belong to us.
If I just want to read some novel online, does https really matter?
@see:
It can, yes. HTTPS protects against man-in-the-middle attacks. Using plain HTTP, an attacker can easily inject malicious javascript into the pages you’re viewing, alter the contents of the pages you see, etc.
If you’re using an open WiFi access point without a VPN, then this is even a low-skill attack that can be performed by anyone else within radio range of the access point. If you’re using a password-protected access point without a VPN, then this is still a real risk, although it takes a little skill to pull off.
That said, these risks can be mitigated by being properly cautious — not allowing Javascript or other client-side code to run, remaining aware that the page your seeing may not exactly be the page the author wrote, and so forth.
For naive users, HTTPS is valuable protection even if the website is not of a sensitive nature. For those who know how, and are willing, to otherwise act in a secure way, the risk can be reduced to the point where a successful attack would be merely annoying, not devastating.
“what do you do when a site still uses HTTP?”
I avoid entering any personal details. Otherwise, pretty much nothing.
It’s ridiculous to call a Web site serving HTML documents via HTTP unsecure. Of course, it’s not just Mozilla hijacked by jerks. Braindead talking heads rule the world these days.
“https doesn’t necessarily mean it’s safe”
Yeah also for the huge proportion of web sites behind Cloudflare, Cloudflare can read and modify all the traffic in decrypted form (without even needing to secretly compromise a certificate authority or the protocol), and therefore as Snowden has explained it the police forces of USA and their allies too.
When big tech companies talk about security nowadays, they often implicitly exclude their kind and their governments from the threats they’re supposed to protect you from, while they’re arguably the worst threat, though less directly visibly.
In other news, it seems that the Kazakhstan government has decided recently to require all its citizens to install a man-in-the-middle certificate in their browser to spy on them. Mozilla is discussing adding a new sort of permanent interception warning in the browser for this case.
But when Mozilla was asked long before by privacy activists to show in the browser an interception warning for Cloudflare interceptions that allow the US government to spy on everybody, they refused.
It seems that for them, USA has a more natural right to pervasive spying than USA’s enemies.
> All that is required is to set security.insecure_connection_icon.enabled **and** security.insecure_connection_icon.pbmode.enabled to True
This is incorrect. the `pbmode` setting means to *only* show it in private browsing mode.
The other means to show it in *all* modes, and the pbmode is redundant
Thanks, corrected that!
HTTPS and DNS over TLS is mandatory to keep the Internet more neutral, private and secured.
According to jedisct1, the developer of DNSCrypt-proxy, “DNS-over-TLS is useless. It has zero benefits over these, so it is not implemented.” ends his one year old comment stating,
“DNSCrypt is faster (over UDP, which other options don’t support) and slightly safer than DoH. It was explicitly designed for DNS, doesn’t allow insecure parameters, is way simpler (= reduced attack surface), and has proper padding.
DNS-over-HTTP/2 is easier to deploy, as it can be served as a web page. But certificate management can be tricky.
dnscrypt-proxy supports both protocols. Unless one of them gives you systematic issues due to your ISP blocking it, you should just leave them both enabled. dnscrypt-proxy will try all the configured resolvers, and use the fastest ones no matter what the protocol is.
DNS-over-TLS is useless. It has zero benefits over these, so it is not implemented.”
Source : https://old.reddit.com/r/privacytoolsIO/comments/7wakeh/dnscrypt_v2_vs_dnsoverhttp2/
Personally I’ve always used but DNSCrypt-Proxy flawlessly, not even DNS-over-HTTP/2 (DOH).
@Tom Hawack: “DNS-over-HTTP/2 is easier to deploy, as it can be served as a web page.”
However, DoH present such a severe security problem for me and my systems that its existence means that I’ve had to install a man-in-the-middle for all my HTTPS connections just so I don’t lose some of my defenses.
I used dnscrypt and it also works with DoH.
I didn’t see any additional certificates when installed it.
What you speak about?
Would you do this with people’s mail (not email)? Snooping != Security, it’s just creepy!
@John Fenderson, as I wrote I use DNSCrypt, easy to deploy and run, moreover comes with many features of which blocklists. DNSCrypt can handle its very DNSCrypt protocol as well as DOH. All the information is available at https://github.com/jedisct1/dnscrypt-proxy
For those who prefer the easiness of a front-end : https://github.com/bitbeans/SimpleDnsCrypt
@Tom Hawack:
Yes, I understand. I was just expressing my frustration with the problems that the existence of DoH brings. I wasn’t really talking about any particular tool.
Agreed. What most people don’t realise is that you can infer quite accurately from DNS meta data even if you visit an https encrypted website.
e.g. DNS shows that you visited Google and did a search (don’t know what was searched), visited a medical website (Google search was likely medical related), went to your doctors website (serious enough ailment to seek medical help), went to a pharmacist website and bought something (clearly need some medicine). They might not know what you looked at due to the https encryption but they can infer that you have some sort of medical ailment that was serious enough to need a doctor and required treatment.
Now suppose you are going on holiday and are looking for travel insurance – do you think that the cost of the insurance will go up or down due to this information if it was shared with the insurance company? And what if you claimed to be fit and healthy – would they consider you to be dishonest due to the inferred information received via third party? Would this “dishonesty” then have a knock on affect with car insurance or property insurance or life assurance or loans or credit cards etc?
It’s easy to see how this information can be abused – what if you were buying medicine for someone else? Or perhaps it was a shared computer? Or maybe just a straight forward algorithmic error which the programmer has made. Just how would you go about correcting this?
The only time https will truly work is when it is used in conjunction with encrypted DNS too. Information is too easily abused and used against people today.
Well, ever looked at the data that’s exchanged in the beginning of a TLS session? You don’t really win anything if the certificate that the server sends you over the clear contains the name of the website and everything.
If somebody wants to know what websites you go to, DNS over HTTPS or DNS over TLS doesn’t help much.
It may be better than nothing but not by much.
https doesn’t necessarily mean it’s safe. If the encryption (ciphers) used is weak and obsolete it is worth nothing. Just having a general green icon for every https connection is also pretty dumb and useless.
Qualys SSL labs provides checks for web-browsers and websites.
Default out of the box configurations of firefox and chromium based web-browsers, also use weak cipher suites. Be careful, and don’t trust an icon for merely connections made with https, especially security.ssl3.rsa_des_ede3_sha for instance in firefox.
There used to be addons, like Caromel validator, to get an additional precise indicator for the real security status of websites, but nowadays the internal changes in firefox rendered it useless.
firefox: about:config -> security.ssl3.* show all available ciphers and let’s you easily deactivate the worst ones with the occasional breakage for still badly configured websites. Also TLS versions don’t influence the available ciphers, so TLSv1.3 only won’t suffice.
> https doesn’t necessarily mean it’s safe.
Yes, HTTPS merely means that there was an attempt to encrypt data. To ensure that a proper cipher is used, Firefox and other browsers are deprecating weak ciphers and TLS 1.0 and TLS 1.1 soon. Marking HTTP as insecure is a purely cosmetical change, but it will give site administrators a much-needed kick to actually use TLS.
I’m running the ‘HTTPS Everywhere’ Firefox extension and if I encounter an HTTP (non-secure) site I check if it’s available as HTTP (via a dedicated bookmarklet) : if it is I’ll add that site to ‘HTTPS Everywhere’, if it isn’t I’ll carry on with the non-secured connection but wouldn’t consider delivering to it confidential data.
Concerning HTTPS I read articles mentioning secured connections aren’t a panacea, that certificates happen to be falsified and that it must take more than that ‘S’ for a user to be sure of a domain’s security and reliability : HTTPS is definitely not a badge of good conduct neither of bullet-proof security.
@Tom Hawack: would you care to share that bookmarklet?
@Klaas Vaak, hi there!
The bookmarklet is meant to toggle httphttps, but since I don’t remember which Firefox version it now only works to toggle http > https and won’t reverse, even if the site is http, in which case a simple ‘Go back one page’ will revert to http. Still helpful nevertheless.
HTTP-HTTPS Toggle (HTTP>HTTPS is OK, HTTPS>HTTP doesn’t work anymore)
javascript:((function(){window.location=location.href.replace(/^http/i,”https”).replace(/^http\w{2,}/i,”http”);})())
Easier than adding ‘s’ to the url in the urlbar.
@Tom Hawack: thank you kind sir.
After decades of telling users to check for the green padlock in the address bar, let’s remove it!
What a stupid way to confuse users…