The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default.
For example, the current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages.
"HTTPS deployment is starting to get some momentum," said Richard Barnes, a former Mozilla software engineer, now with Cisco. "We should start preparing for a shift toward marking non-secure sites as insecure (as opposed to marking secure sites as secure)."
"As a first step, let's add a negative indicator for all non-secure sites, gated by a pref that's off by default," Barnes wrote in a feature request he made last year.
Hidden setting available in Firefox Nightly 59
Mozilla approved his request, and Firefox Nightly 59 now includes a hidden preference named "security.insecure_connection_icon.enabled" that when enabled will show the above strikethrough lock icon on all HTTP pages.
To enable this feature, users must navigate to the about:config settings section, search for the above preference, and double-click to enable it.
Since Barnes made his request last year, HTTPS adoption has grown even more. According to Let’s Encrypt data, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.
Currently, most security experts and UI designers believe it's detrimental if a site would show a permanent warning when users are on HTTP pages, as this could lead to something called an "error fatigue" that could make users blind and ignorant to these warnings.
But, as Barnes pointed out, if HTTPS adoption rises even more, showing a "Not Secure" warning on non-HTTPS sites could become acceptable, as these errors will show more rarely than they would have a few years back.
In one or two years, we may see all browsers move to a scheme where they warn users if a site is loading via HTTP.
Currently, no browser is showing such errors. For example, Firefox and Chrome use warnings on HTTP sites only when users are trying to log into a page or pay via credit/debit card. The way each browser does this is different. Firefox shows "in your face" warnings attached to the form fields themselves, while Chrome shows a "Not Secure" text indicator in the URL address bar. More recently, Google also decided to show a permanent "Not Secure" warning for all HTTP pages loaded via the Chrome's Private Browsing mode.
Comments
rhasce - 6 years ago
Question, is this only useful for sites that require user information?
Occasional - 6 years ago
My guess is that it applies to all sites - as sites can garner information from users through hidden links or even mouse hovers.
Occasional - 6 years ago
Besides "error fatigue", there's the problem of overstating the security of sites marked as "secure".
Jey3110 - 6 years ago
I just enabled this feature and the warning shown is no different to what's there in current version of Firefox -- a red line striking through a classic lock.
PinoBatch - 6 years ago
How would this work with someone's home router or printer? Is everybody going to have to buy a domain in order to qualify for a certificate in order to remove the "Not Secure" warning?