Browsers Continue To Add Warnings About Insecure Content.
Firefox 52 is out now, and with a new release comes a new warning about HTTP.
There is a pattern here: browsers are incrementally adding warnings for HTTP, raising their expectations each month as the web moves further towards a fully-encrypted future.
This time the warnings are targeting login forms on insecure HTTP pages.
On any HTTP page, a new insecure password warning will appear directly below login fields when they become active (when a user clicks on/tabs to them). The warning makes sure any users will see the dangers of submitting data over HTTP.
The warning reads, “This connection is not secure. Logins entered here could be comprised.” The Learn More link goes to this Firefox support page.
The entire page will also receive the broken padlock icon which displays the same warnings when clicked.
If you want to see the warnings in your own browser visit http-login.badssl.com.
Google Chrome 57, which is due out next week, adds similar in-form warnings. In addition to password fields, Chrome also detects insecure credit card forms.
For now, auto-fill will continue to work on HTTP forms, but developers should expect this to change in the near future as browsers continue to restrict functionality on HTTP web pages in order to preserve user privacy.
Firefox developers noted that since enabling this feature by default in the Developer release, the number of HTTPS secured login forms increased from 40% to just about 75%.
Remember that ALL websites need to be HTTPS. Why? Because believe it or not, most sites expose some sort of personal information – be it search queries, passwords, etc. HTTPS also provides integrity guarantees, stops content injection, and allows you to use HTTP/2 which is lightning fast. If you want to know more, start here.