The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default.
For example, the current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages.
"HTTPS deployment is starting to get some momentum," said Richard Barnes, a former Mozilla software engineer, now with Cisco. "We should start preparing for a shift toward marking non-secure sites as insecure (as opposed to marking secure sites as secure)."
"As a first step, let's add a negative indicator for all non-secure sites, gated by a pref that's off by default," Barnes wrote in a feature request he made last year.
Mozilla approved his request, and Firefox Nightly 59 now includes a hidden preference named "security.insecure_connection_icon.enabled" that when enabled will show the above strikethrough lock icon on all HTTP pages.
To enable this feature, users must navigate to the about:config settings section, search for the above preference, and double-click to enable it.
Since Barnes made his request last year, HTTPS adoption has grown even more. According to Let’s Encrypt data, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.
Currently, most security experts and UI designers believe it's detrimental if a site would show a permanent warning when users are on HTTP pages, as this could lead to something called an "error fatigue" that could make users blind and ignorant to these warnings.
But, as Barnes pointed out, if HTTPS adoption rises even more, showing a "Not Secure" warning on non-HTTPS sites could become acceptable, as these errors will show more rarely than they would have a few years back.
In one or two years, we may see all browsers move to a scheme where they warn users if a site is loading via HTTP.
Currently, no browser is showing such errors. For example, Firefox and Chrome use warnings on HTTP sites only when users are trying to log into a page or pay via credit/debit card. The way each browser does this is different. Firefox shows "in your face" warnings attached to the form fields themselves, while Chrome shows a "Not Secure" text indicator in the URL address bar. More recently, Google also decided to show a permanent "Not Secure" warning for all HTTP pages loaded via the Chrome's Private Browsing mode.