In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure.
This change is part of our new simplified security UI[1] that will ship in Firefox 70 and is a continuation of our previous <https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/> efforts <https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/> to increase HTTPS adoption and communicate the dangers of insecure HTTP. Over two years ago we started showing <https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/> this indicator for insecure pages with login forms, and announced our intent to expand showing it for all HTTP pages as HTTPS adoption increases. Telemetry tells us that almost 80% of pages <https://letsencrypt.org/stats/#percent-pageloads> in Firefox are now loaded over HTTPS. Research has shown <http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf> that users don’t notice the lack of a positive indicator <https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf> when they are on insecure pages. Both Safari and Chrome have started showing a "Not Secure" text for all HTTP pages <https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/> in their desktop browsers. The bug where this change will be made is bug 1562881 <https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>. Please let me know if you have any questions or concerns, Johann [1] We will soon publish a blog post showing the upcoming changes to our security UI in 70 and the concept behind it _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
