Firefox bares teeth, attacks sites that collect personal data

If it wants a password and doesn't use HTTPS, Mozilla will breathe fire

Image by elroyspelbos

Shoddy sites will have fewer places to hide with Firefox joining Chrome in badging cleartext sites that collect personal information as insecure.

Mozilla's labels won't be as prominent as Google's, introduced this year, which places the red letter label in the address bar. Firefox will instead tuck its warning in the same spot behind a crossed-out lock that reads "not secure" when clicked.

Firefox product veep Nick Nguyen says the move follows the company's many musings on the benefits of HTTPS.

"Starting today in the latest Firefox, web pages that collect passwords, like an email service or bank, but have not been secured with HTTPS will be more clearly highlighted as potential threats," Nguyen says.

"Up until now, Firefox has used a green lock icon in the URL bar to indicate when a website is secure (using HTTPS) and a neutral indicator (no lock icon), otherwise.

"In order to more clearly highlight possible security risks, these pages will now be denoted by a grey lock icon with a red strike-through in the URL bar."

The insecurity stickers will expand in future releases with a floating box triggered when users click password entry fields on cleartext sites that reads "logins entered here could be compromised".

A further development will expand the struck-out lock icon and slap it on all cleartext sites regardless of whether they collect passwords or credit cards.

"To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure," Firefox staffers Tanvi Vyas and Peter Dolanjski wrote.

"As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS."

Firefox on insecure sites.

Browser barons are increasingly exercising their power to highlight weak security on web sites. The push to end cleartext on sensitive sites was greased by the widely-supported Let's Encrypt initiative that offered free SSL certificates to sites and the means to easily implement it.

In October, Google announced it would be forcing sites to enforce proper certificate security within a year.

The Alphabet subsidiary said it would flag sites with unauthorised certificates and label those that do not subscribe to the initiative as untrusted in a move that will help combat phishing.

Firefox's latest update also brought in audio playback for lossless FLAC fanatics, more efficient video performance, a zoom button, and ASLR and DEP bypassing security fixes. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood


More from The Register


Today in tortured tech analogies: Mozilla lets Firefox loose in the hen house, and by hen house, we mean the tracking cookie jar, er...

Remember when people didn't use browsers from the one of world's biggest adtech giants?
Firefox Preview, a new browser for Android from Mozilla

Firefox Preview for Android: Mozilla has another go at a mobile browser

Firefox Focus frozen as Mozilla redirects Android effort ... despite small market share
Image by elroyspelbos

DoH! Mozilla assures UK minister that DNS-over-HTTPS won't be default in Firefox for Britons

As Reg readers will know, you'll have to click a few buttons first
red fox. pic by Shutterstock

This Free software ain't free to make, pal, it's expensive: Mozilla to bankroll Firefox with paid-for premium extras

Browser will remain gratis, optional $$-per-month services to be offered later this year

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare
Chrome vs. Firefox

Mozilla says Firefox won't defang ad blockers – unlike a certain ad-giant browser

Extensions still free to use uber-powerful webRequest API to filter crap out of webpages
Google, photo by lightpoet via Shutterstock

Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

Ad giant's site slurping tech complicates web security model, could give more power to search engines and social networks, Firefox maker warns
Well done, everyone

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

* Terms and conditions apply. Offer not valid outside Kazakhstan. Your home may be repossessed if you do not keep up payments

Biting the hand that feeds IT © 1998–2019