Mozilla revamps Firefox's HTTPS address bar information

Martin Brinkmann
Aug 13, 2019
Firefox
|
36

Mozilla plans to make changes to the information that the organization's Firefox browser displays in its address bar when it connects to sites.

Firefox displays an i-icon and a lock symbol currently when connecting to sites. The i-icon displays information about the security of the connection, content blocking, and permissions, the lock icon indicates the security state of the connection visually. A green lock indicates a secure connection and if a site has an Extended Validation certificate, the name of the company is displayed in the address bar as well.

Mozilla plans to make changes to the information that is displayed in the browser's address bar that all Firefox users need to be aware of.

One of the core changes removes the i-icon from the Firefox address bar, another the Extended Validation certificate name, a third displays a crossed out lock icon for all HTTP sites, and a fourth changes the color of the lock for HTTPS sites from green to gray.

Why are browser makers making these changes?

Most Internet traffic happens over HTTPS; latest Firefox statistics show that more than 79% of global pageloads happen using HTTPS and that it is already at more than 87% for users in the United States.

The shield icon was introduced to indicate to users that the connection to the site uses HTTPS and to give users options to look up certificate information. It made sense to indicate that to users back when only a fraction of sites used HTTPS.

With more and more connections using HTTPS, browser makers like Mozilla or Google decided that it was time to evaluate what is displayed to users in the address bar.

firefox no i-icon

Google revealed plans in 2018 to remove Secure and HTTPS indicators from the Chrome browser; Chrome 76, released in August 2019, does not display HTTPS or WWW anymore in the address bar by default.

Mozilla launched changes in Firefox in 2018, hidden behind a flag, to add a new "not secure" indicator to HTTP sites in Firefox.

Google and Mozilla plan to remove information that indicate that a site's connection is secure. It makes some sense, if you think about it, considering that most connections are secure on today's Internet. Instead of highlighting that a connection is secure, browsers will highlight if a connection is not secure instead.

The changes are not without controversy though. For more than two decades, Internet users were told that they needed to verify the security of sites by looking at the lock symbol in the browser's address bar. Mozilla does not remove the lock icon entirely in Firefox 70 and the organization won't touch the protocol in the address bar either at this point; that is better than what Google has already implemented in recent versions of Chrome.

The following changes will land in Firefox 70:

  • Firefox won't display the i-icon anymore in the address bar.
  • Firefox won't display the owner of Extended Verification certificates anymore in the address bar.
  • A shield icon is displayed that lists protection information.
  • The lock icon is still displayed, it displays certificate and permission information and controls.
  • HTTPS sites feature a gray lock icon.
  • All sites that use HTTP will be shown with a crossed out shield icon (previously only HTTP sites with login forms).

Mozilla aims to launch these changes in Firefox 70. The browser is scheduled for a release on October 23, 2019.

Firefox users may add a "not secure" indicator to the browser's address bar. Mozilla, just like Google, plans to display it for sites that use HTTP. The additional indicator needs to be enabled separately at the time of writing, it won't launch in Firefox 70.

  1. Load about:config in the Firefox address bar.
  2. Search for security.identityblock.show_extended_validation.
  3. Set the preference to TRUE to display the name of the owner of Extended Validation certificates in Firefox's address bar, or set it to FALSE to hide it.

The new gray icon for HTTPS sites can be toggled as well in the advanced configuration:

  1. On about:config, search for security.secure_connection_icon_color_gray
  2. Set the value to TRUE to display a gray icon for HTTPS sites, or set it to FALSE to return to the status quo.

Now You: What is your take on these changes? (via Sören)

Summary
Mozilla revamps Firefox's HTTPS address bar information
Article Name
Mozilla revamps Firefox's HTTPS address bar information
Description
Mozilla plans to make changes to the information that the organization's Firefox browser displays in its address bar when it connects to sites.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. foxy said on August 15, 2019 at 1:13 am
    Reply

    I like a nice green padlock :( Green for go/”safe”!
    Come on mozilla, you deprecated the custom css option to make the entire bar green for https/yellow for mixed/red for http. You’d better not get rid of the “security.secure_connection_icon_color_gray” option.

  2. ULBoom said on August 13, 2019 at 11:13 pm
    Reply

    “If it works, it needs more features.”

    Doesn’t matter much to me if these changes are made. I still use a ver 67 of Chromium; maybe ESR 60 will be my long term FF, depends on when Mozilla truly jumps the shark. Most of my security/blocking software is system level now; don’t really want a browser designed by Nacho Analytics.

    1. John said on August 14, 2019 at 7:49 am
      Reply

      While I recognize everyone’s freedom to do whatever they want with their own computers, smartphones, tablets, and whatever, I have to say that I don’t entirely understand the attitude that some take of just sticking with some random old version of a software program and never updating it, especially with a web browser, which is kind of ground zero for how most malware or viruses first gain access to your device.

      I would understand it better if it were just pertaining to some piece of software that didn’t have an online component, certainly. Even if were software where the online component was very limited and directed only to one place (Like your favorite music or ebook software connecting to a music or ebook store), I could understand that.

      I also could understand why in a hypothetical world where every browser goes in a direction one can’t stand, one might try to take the risk of sticking by an old version that no longer gets security updates as a protest, and be willing to assume the risk involved because its the only thing you feel you can do.

      *However*, with almost every complaint I read someone having typed about why they are sticking with an old version of a major browser that doesn’t get security patches (Well, at least not while sticking on that version), there is some minor browser that does what that old version of the major browser does and hasn’t made the changes the poster don’t like. So, why not support the browser that does what you want the way you want while still offering security updates and keeping its ability to render web pages relatively current? That improves security and useability for you, and supports the usage statistics for a browser you like in the present that could probably use an extra user or two.

  3. Sunny said on August 13, 2019 at 8:55 pm
    Reply

    There should be a clear visual indication when a site (Banks, government) use a Extended Validation certificates instead of the standard certificates (like LetsEncrypt) that hackers can easily use. I shoud see this without having to click on any icon.

    For example sites with EV certificates can have a url with a green background color, and sites with no https can have a light red background color.

    Make it easy and thus safe for users, instead of all the nonsense Google does like not showing http(s) or www in the url.

  4. troy said on August 13, 2019 at 5:15 pm
    Reply

    Yep, follow the idiots at Google, lets copy and do everything that Chrome does. Whats next cripple ad-blockers in the name of performance, and security. Someone make a dam browser that does not and will not be influenced by the spy company called Google.

    So dam tired of every browser just doing what google does.

    1. TheBestF22 said on November 7, 2019 at 1:25 am
      Reply

      BTW:

      “Discussion” about THIS Article’s Subject/Topic and the Decision taken to NOT Follow “Backwards Trends” on Both Browser Apps (“Basilisk” and “Pale Moon”) can be found here:
      https://forum.palemoon.org/viewtopic.php?f=65&t=23173#p177347

      Bye then.

    2. TheBestF22 said on November 7, 2019 at 1:10 am
      Reply

      > “Someone make a dam browser that does not and will not be influenced by the spy company called Google.”

      — “Pale Moon” (and “Basilisk”) already exist.
      (“Pale Moon” has been a “Hard Fork” of Firefox for a while now)

      And the Project has just passed the 10 Year Anniversary mark!.

      (and Please read the “Rumor Control” Post before believing BS Claims by other People, specially because They’ve been the same BS for at least 5 years – but possibly more)
      ( http://forum.palemoon.org/viewtopic.php?f=65&t=22399 )

      C Ya L8r then!. ;P

    3. TheBest_F-22 said on November 7, 2019 at 1:09 am
      Reply

      > “Someone make a dam browser that does not and will not be influenced by the spy company called Google.”

      — “Pale Moon” (and “Basilisk”) already exist.
      (“Pale Moon” has been a “Hard Fork” of Firefox for a while now)

      And the Project has just passed the 10 Year Anniversary mark!.

      (and Please read the “Rumor Control” Post before believing BS Claims by other People, specially because They’ve been the same BS for at least 5 years – but possibly more)
      ( http://forum.palemoon.org/viewtopic.php?f=65&t=22399 )

      C Ya L8r then!. ;P

  5. paulus said on August 13, 2019 at 4:01 pm
    Reply

    Personally i think that only 79 % Internet traffic happens over HTTPS.
    So I am wandering or its not way to soon to do this.
    Maybe when the number reaches 92% I can understand it, but now no!
    So please consider because its still a ferry handy checking possibility.

    1. Omega X said on August 14, 2019 at 6:14 am
      Reply

      Even at 79%, its much more informative to point out insecure sites than to make a big deal about those that are secure.

  6. Amir said on August 13, 2019 at 2:01 pm
    Reply

    “Mozilla plans to make changes to the information that the organization’s Firefox browser displays in its address bar when it connects to sites.”

    Not home users?

  7. Mele said on August 13, 2019 at 1:48 pm
    Reply

    Thank goodness, I use Basilisk as my default browser and Fx 60 ESR, which will move in a couple of months to Fx 68 ESR, so I can avoid this for awhile longer. My home page has been http://www.dslreports.com/postlist since broadband became available in my home town in the summer of 2001. The site can be accessed as https also BUT the speed test (still the best on the internet) MUST run on http NOT https to be accurate especially if using ipV6.

    I think the move to https all over the net is absurd. My home site is mostly for posting in forums and using the private messaging system and reading articles relevant to broadband. Why does anyone need https for such a site? Banking sites and a FEW others need https and the rest do not!

    1. Klaas Vaak said on August 13, 2019 at 2:20 pm
      Reply

      @Mele: Basilisk, developed by Moonchild, the developer struggling to keep Pale Moon afloat. Will he be able to keep both projects – Basilisk and Pale Moon – going, or will he have to ditch one, like he did with FossaMail, the email app?

      1. John said on August 13, 2019 at 9:28 pm
        Reply

        @Klaas Vaak I am not saying that you are wrong, but I think it is worth noting that Basilik and and Pale Moon now share the same XUL Platform code ( http://thereisonlyxul.org/ ). So, basically, the “back end” including web rendering and stuff is the same for both browsers and doesn’t require significant extra work at this point to maintain two browsers relative to maintaining one browser.

        Basilik has also made a change to use the same sync setup as Pale Moon, which again reduces the amount of extra work they’d have to do to maintain both browsers simultaneously (I’m not saying this was the reason for the change, just a consequence that’s relevant to our discussion).

        What has to still be maintained separately is the application code for each browser. So, it’s not entirely a situation where no extra work has to be done to maintain two browsers instead of one, but it is a situation where most of the work only has to be done once for both browsers and only a minority of the work is browser specific, making it easier to maintain two browsers than it would be if they were using separate platform code, sync systems, etc.. I’ve read that the application code (Which differs) actually does not require that much updating relative for platform codes once browsers have an established user interface (look and feel) that they just want to maintain, which seems to be the case for Pale Moon and Basilik.

        I am typing this using Firefox, so I currently have no horse in this race (I admittedly have used Pale Moon in the past.). I’m just saying that while your question is reasonable about whether both Pale Moon and Basilik will be able to continue given their limited number of developers and limited resources, a lot of whom and which are split between the two browsers or working on them both simultaneously, it may not be as much of a problem as one would think. It’s just not that much extra work the way they are doing it. Any amount of extra work, even a small amount, could lead to something being discontinued if they don’t have the personpower hours to put in, or aren’t getting enough funding, but it seems like they have a good shot at being able to keep both going because of the way they have set them up.

        If and when more unrelated browsers and other software start using their Unified XUL platform as platform code for their projects, the open source nature of it means that it might actually turn into *less* work for the Pale Moon/Basilik people, because said projects will have their own developers who may contribute patches or even volunteer directly to work on the platform code, or at minimum will have to make the source code available that includes the code they’ve changed because of open-source licenses, which could be merged back into the Unified XUL Platform and the main browsers that are associated with it, if it’s code that the people who run that deem an improvement. So, in theory, if it picks up steam in the way that they want it to, the Unified XUL Platform may actually be like adding extra part-time contributors to their project at no charge.

        And, hey, if one browser is discontinued, it’s pretty easy to just pick a new browser, right? Browsers are free and can be downloaded and installed on a whim. You can even export your bookmarks from one browser and then import them to another.

  8. Thorky said on August 13, 2019 at 1:12 pm
    Reply

    Google and Mozilla: Into the potato, out of the potato … 🤔

  9. Anonymous said on August 13, 2019 at 12:37 pm
    Reply

    >> Did they remove the list of page media that was in the i-icon ? That was convenient to download media from sites like instagram without using extensions or the developer tools.
    It’s still there

    Release: I-icon > Show Connection Details > More information
    Nightly: Padlock icon > Show Connection Details > More information

  10. Anonymous said on August 13, 2019 at 11:20 am
    Reply

    Did they remove the list of page media that was in the i-icon ? That was convenient to download media from sites like instagram without using extensions or the developer tools.

    “Firefox won’t display the owner of Extended Verification certificates anymore in the address bar.”

    Because this anti-phishing security was imperfect, and expensive for sites, Google decided that it was better to have none at all. Not sure if this was a security decision or a business one.

    1. Martin Brinkmann said on August 13, 2019 at 11:28 am
      Reply

      You mean Page Info? You can still right-click on the page and select Page Info. Another option that you have is to open the developer tools with a tap on F12 and check the Network tab. There you find all media elements listed as well.

      1. Anonymous said on August 14, 2019 at 9:03 pm
        Reply

        Page Info is still there, now the shield and the padlock have separate functions and Page Info went to the latter: click the padlock, then the arrow to the right of “Connection Secure” / “Connection Is Not Secure”, then the “More Information” button.

  11. Tom Hawack said on August 13, 2019 at 10:52 am
    Reply

    No i-icon nor lock symbol here, removed. Urlbar gets a yellow background with https sites and I’ve added a toolbar button to display a site’s Page Info with left-click and my saved logins with middle-click.

    Side-note

    The article mentions tat “Most Internet traffic happens over HTTPS; latest Firefox statistics show that more than 79% of global pageloads happen using HTTPS and that it is already at more than 87% for users in the United States.”

    Makes me wonder if the ‘HTTPS Everywhere’ extension isn’t bound to become obsolete, if it isn’t already. Firefox’s Task Manager reports the extension occupies 27MB of RAM (which isn’t a true problem) when meanwhile it misses several (many?) https-ready websites. And now with the increasing number of sites deploying over HTTPS I’m getting closer day by day to removing ‘HTTPS Everywhere’.

    1. OzMerry said on August 15, 2019 at 12:09 pm
      Reply

      FF Developer Edition 69.0b13 (64-bit)

      HTTPS Everywhere : 813KB

      The FF Task Manager is at the top of the memory usage list : 60.3MB

    2. owl said on August 14, 2019 at 11:57 am
      Reply

      HTTPS Everywhere :
      Measure with Firefox’s Task Manager (about 10 minutes)
      Firefox DeveloperEdition 69.0b13 (64-bit) :777KB±.
      Firefox Nightly 70.0a1 (2019-08-13) (64-bit) :653KB±.
      Firefox ESR 60.8.0esr (64-bit) :Unmeasurable(Task Manager function is not provided)

    3. ULBoom said on August 13, 2019 at 10:58 pm
      Reply

      35 Mb in Tor, does that count?

      Not a standalone in ESR, the other FF I normally use.

    4. Tom Hawack said on August 13, 2019 at 3:32 pm
      Reply

      Maybe the reason is that I’ve disabled disk cache and set my memory cache to 1GB… no idea.

    5. Klaas Vaak said on August 13, 2019 at 11:59 am
      Reply

      @Tom Hawack: 27 MB for HTTPS Everywhere? My FF task manager says 738 KB.

      1. TelV said on August 13, 2019 at 6:11 pm
        Reply

        Anybody got a calculator? Mine shows as 33,157,135 B. Would that be bytes or bits d’you think?

        The percentage figure for HTTPS Everywhere is 04.76%

        I’m using Waterfox 56.2.12 by the way.

      2. Tom Hawack said on August 13, 2019 at 2:00 pm
        Reply

        @Klaas Vaak … 738KB for ‘HTTPS Everywhere’?!! Wow!!
        Houston : we have no problems but a mystery.
        Klaas, are you sure you didn’t slip a line when viewing FF’s Task Manager (about:performance)
        738KB is impossible!

        Any other astronauts around to report?

      3. ty said on August 14, 2019 at 6:37 am
        Reply

        816 KB here, was 700 something a little while ago

      4. Anonymous said on August 13, 2019 at 2:23 pm
        Reply

        766KB here

      5. Yepper said on August 13, 2019 at 4:09 pm
        Reply

        3.5MB here.

  12. John C. said on August 13, 2019 at 9:00 am
    Reply

    After reading your article and great explanation, Martin, I have to say that these changes make sense and they don’t bother me at all. Since the lock icon will still be displayed, it will still be possible to view the certificate information as you say, so I don’t see any problems with this change at all at this point, don’t really predict any either.

  13. firefox_user said on August 13, 2019 at 8:23 am
    Reply

    Why? This will only make things easier for scummy phishers. Also, knowing Mozilla, the about:config toggles will be removed sooner than later.

    1. blob said on August 13, 2019 at 10:08 am
      Reply

      Read the article. Since a vast majority of websites uses HTTPS nowadays, there is no need to make those websites stand out with all those indicators and lighten-up padlock icons. It has become redundant at this point.

      Also, I would like an explanation how hiding that information makes you vulnerable to phishers. If you thought that sites that have all those icons and indicators displayed next to their URL are confirmed trustworthy then you misunderstood encryption and proved that hiding that info is a good idea since it will stop giving users a false sense of security.

      1. Muhammad Firza said on September 4, 2019 at 2:53 pm
        Reply

        Switch to https is the worst moment i ever had, so these websites dont like switch to https because is a biggest lie and avoid to attacked by hackers and so http is still prevalence until today, and they said ‘http is dead’ is a hoax. So switch to https isnt permanently but temporary

      2. firefox_user said on August 13, 2019 at 10:40 am
        Reply

        Extended Validation certificates are vastly important to users of banking services and in corporate environments. The first thing the employees are taught is to never input credentials unless there’s an indicator of extended validation certificate. They are supposed to identify the owner of the website. Encryption has nothing to do with it and I can’t believe you would even think encryption itself has anything to do with phishing.

    2. Anonymous said on August 13, 2019 at 9:33 am
      Reply

      because in the world of software development. not doing anything to something that works right is seen as not doing any work, regardless of how idiotic that sounds.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.