New versions of Mozilla’s Firefox web browser will alert users when they are browsing on a site that is being served over HTTP, instead of being served over the encrypted HTTPS protocol. The new alert would label HTTP sites as “Not Secure” and would display a lock with a red line going through it. Currently HTTP sites are already labelled as “Not Secure” in Mozilla Firefox, but users must click on the icon of an “i” inside of a circle located in the address bar, this brings up a drop down menu which states that “The connection is Not Secure”, however, a visual warning is only displayed if there is a login and password field or credit or debit card payment information field located somewhere on an HTTP page.
Google Chrome similarly warns users when such confidential information is being asked for on a web page that isn’t using HTTPS. Since April of this year, users of Google Chrome’s Incognitio Mode also receive a warning about HTTP pages not being secure. In Mozilla Firefox, when an HTTP site has a login and password field, or a payment information field, a lock icon with a red line through it is displayed in the current versions of Mozilla Firefox, such as in version 57.0.1.
The new version of Mozilla Firefox Nightly, version 59, includes a hidden configuration option which displays the icon of a lock with a red line through it when it is enabled. Richard Barnes, who currently works for Cisco and was a former software engineer at Mozilla, called for marking sites served over the unencrypted HTTP protocol to be marked as insecure, in a feature request he made last year. “HTTPS deployment is starting to get some momentum, having recently crossed 50%. We should start preparing for a shift toward marking non-secure sites as insecure (as opposed to marking secure sites as secure). As a first step, let’s add a negative indicator for all non-secure sites, gated by a pref that’s off by default,” Barnes said in his feature request.
The new security indicator icon can be enabled in Firefox Nightly version 59 by navigating to about:config and searching for security.insecure_connection_icon.enabled and then changing the value from “false” to “true” by double clicking on the value “false”. The new feature is likely to be enabled and implemented in future versions of Firefox Nightly and eventually into the regular stable releases of Mozilla Firefox.
According to information from the web site Let’s Encrypt, the percentage of web sites using HTTPS as of November of this year has increased to 67%. The percentage of web sites using HTTPS was only 45% at the end of 2016. The information from Lets Encrypt is collected from Firefox users who have Telemetry enabled, but the numbers give a good general view of how widely HTTPS has been enabled on web sites across the internet. Google has also been tracking the prevalence of HTTPS use since. They began tracking HTTPS use in 2015, obtaining data from Google Chrome users who opt to share their usage statistics with Google. By 2015, half of all of the internet traffic of Chrome users on Linux, Mac, and Chrome OS was encrypted, according to statistics Google released in a transparency report.
Let’s Encrypt began in the year 2012 and has been operating as a certificate authority since last year, and offers free X.509 certificates for enabling HTTPS through Transport Layer Security (TLS) encryption. The Let’s Encrypt organization was formed through the help of the Mozilla Foundation, the Electronic Frontier Foundation, the Linux Foundation, Akamai, Cisco Systems, the certificate authority IdenTrust, and universities such as the University of Michigan and the Stanford Law School.
Some experts think that users will become desensitized to the warning if users are constantly seeing a warning for viewing web pages served over unencrypted HTTP. Others believe these warnings will further speed up adoption of HTTPS. It is likely that within a year or two, all major browser will warn users when they view sites that aren’t using HTTPS.