(This was originally posted to both dev-platform and firefox-dev, but seems to have gotten lost on dev-platform at least for some subscribers, so I'm resending. Apologies if you've received this twice now.)
In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure. This change is part of our new simplified security UI[1] that will ship in Firefox 70 and is a continuation of our previous <https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/> efforts <https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/> to increase HTTPS adoption and communicate the dangers of insecure HTTP. Over two years ago we started showing <https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/> this indicator for insecure pages with login forms, and announced our intent to expand showing it for all HTTP pages as HTTPS adoption increases. Telemetry tells us that almost 80% of pages <https://letsencrypt.org/stats/#percent-pageloads> in Firefox are now loaded over HTTPS. Research has shown <http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf> that users don’t notice the lack of a positive indicator <https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf> when they are on insecure pages. Both Safari and Chrome have started showing a "Not Secure" text for all HTTP pages <https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/> in their desktop browsers. The bug where this change will be made is bug 1562881 <https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>. Please let me know if you have any questions or concerns, Johann [1] We will soon publish a blog post showing the upcoming changes to our security UI in 70 and the concept behind it _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
