Firefox Nightly starts marking login-forms in HTTP as insecure

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Mattias Geniar, October 21, 2015

Follow me on Twitter as @mattiasgeniar

tl;dr: if your site has any kind of login section, you'll want to switch to HTTPs. You should have done so a long time ago (security, privacy), but now Firefox is giving you even more of an incentive to do so.

This tweet brought it to the attention:

PSA: In Firefox 44 Nightly, "http:" pages with are now marked insecure. pic.twitter.com/qS9LxuRPdm

— Richard Barnes (@rlbarnes) October 20, 2015

If you have a form on your website where one of the fields is of the type="password", the page will now be marked as insecure in your browser if it is served over a plain HTTP connection.

Here’s what a normal, secure, page looks like with a type="password" input field.

firefoxnightly_http_secure

And here’s the new Firefox Nightly display of a similar page, but in plain HTTP (with a shameless plug to Senioren Digitaal, offering IT classes to elderly people).

firefoxnightly_http_insecure

This change, once it makes it to the mainline version of Firefox (current Firefox is at version 41, nightly is at version 44), will make users even more aware of the dangers of submitting passwords to a plain HTTP website.

Every HTTPS/TLS connection can already show you more information in the security panel in Firefox. This warning is shown on plain HTTP connections where there is no Security Panel in the inspector.

If you hover over the warning, you’ll see more information on why the red indicator is shown.

firefoxnightly_connection_not_secure

firefoxnightly_connection_not_secure_2

This move from Firefox comes after several discussions of marking HTTP connections as insecure by default. I believe it’s good UX to only show the insecure icon on pages where it actually makes a difference.

Yes, HTTPs everywhere would be a good idea. Privacy and eavesdropping are among the most important motivators. Security is a very nice side-effect.

But since not every website has a login section where passwords can be stolen, marking all HTTP connections as insecure wouldn’t be a good idea. It would just train users to see a red indicator in the upper left corner and consider that the new normal.

We’ve now got several ways of marking a connection as insecure, besides the usuals (expired SSL, invalid hostname, …) in multiple browsers:

Password-fields in a plain HTTP site
SHA-1 SSL certificates which expire after 2015

What are your thoughts on this?

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.