{"id":2153,"date":"2017-01-20T11:05:51","date_gmt":"2017-01-20T19:05:51","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2153"},"modified":"2017-01-20T11:32:38","modified_gmt":"2017-01-20T19:32:38","slug":"communicating-the-dangers-of-non-secure-http","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/","title":{"rendered":"Communicating the Dangers of Non-Secure HTTP"},"content":{"rendered":"<p><span id=\"docs-internal-guid-4622d740-b8fe-306a-5b29-77281c800823\" style=\"font-size: 14.666666666666666px; font-family: Arial; color: #000000; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;\"><img decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-2158 alignright\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning-252x115.png\" alt=\"Password Field with Warning Drop Down\" width=\"252\" height=\"115\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning-252x115.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning.png 420w\" sizes=\"(max-width: 252px) 100vw, 252px\" \/><\/span><\/p>\n<p>HTTPS, the secure variant of the HTTP protocol, has long been a staple of the modern Web. It creates secure connections by providing authentication and encryption between a browser and the associated web server. HTTPS helps keep you safe from eavesdropping and tampering when doing everything from online banking to communicating with your friends. This is important because over a regular HTTP connection, someone else on the network can read or modify the website before you see it, putting you at risk.<\/p>\n<p>To keep users safe online, we would like to see all developers use HTTPS for their websites. Using HTTPS is now <a href=\"https:\/\/letsencrypt.org\/\">easier than ever.<\/a> <a href=\"https:\/\/nakedsecurity.sophos.com\/2016\/10\/18\/halfway-there-firefox-users-now-visit-over-50-of-pages-via-https\/\">Amazing progress<\/a> in HTTPS adoption has been made, with a substantial portion of web traffic now secured by HTTPS:<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/internethealthreport.org\/v01\/charts\/encryption-website-encryption-growth-rates\/\" width=\"600\" height=\"483\" frameborder=\"0\"><\/iframe><\/p>\n<p><strong>Changes to Firefox security user experience<\/strong><br \/>\nUp until now, Firefox has used a green lock icon in the address bar to indicate when a website is using HTTPS and a neutral indicator (no lock icon) when a website is not using HTTPS. The green lock icon indicates that the site is using a secure connection.<\/p>\n<div id=\"attachment_2157\" style=\"width: 314px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-2157\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-2157\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-https-252x102.png\" alt=\"Address bar showing green lock at https:\/\/example.com\" width=\"304\" height=\"123\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-https-252x102.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-https.png 500w\" sizes=\"(max-width: 304px) 100vw, 304px\" \/><p id=\"caption-attachment-2157\" class=\"wp-caption-text\">Current secure (HTTPS) connection<\/p><\/div>\n<div id=\"attachment_2176\" style=\"width: 315px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-2176\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-2176\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-http4-252x100.png\" alt=\"Address bar at example.com over HTTP\" width=\"305\" height=\"121\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-http4-252x100.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-http4.png 498w\" sizes=\"(max-width: 305px) 100vw, 305px\" \/><p id=\"caption-attachment-2176\" class=\"wp-caption-text\">Current non-secure (HTTP) connection<\/p><\/div>\n<p>In order to clearly highlight risk to the user, starting this month in Firefox 51 <em>web pages which collect passwords but don\u2019t use HTTPS<\/em> will display a grey lock icon with a red strike-through in the address bar.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-2154\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-dot-com-control-center-252x175.png\" alt=\"Control Center message when visiting an HTTP page with a Password field\" width=\"321\" height=\"223\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-dot-com-control-center-252x175.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-dot-com-control-center-768x534.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-dot-com-control-center-600x417.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/example-dot-com-control-center.png 860w\" sizes=\"(max-width: 321px) 100vw, 321px\" \/><\/p>\n<p>Clicking on the \u201ci\u201d icon, will show the text, \u201cConnection is Not Secure\u201d and \u201cLogins entered on this page could be compromised\u201d.<\/p>\n<p>This has been the user experience in <a href=\"https:\/\/www.mozilla.org\/en-US\/firefox\/developer\/\">Firefox Dev Edition<\/a> since January 2016. Since then, the percentage of login forms detected by Firefox that are fully secured with HTTPS has <a href=\"https:\/\/ipv.sx\/telemetry\/general-v2.html?channels=release&amp;measure=PWMGR_LOGIN_PAGE_SAFETY&amp;target=0&amp;absolute=0&amp;relative=1\">increased from nearly 40% to nearly 70%<\/a>, and the number of HTTPS pages overall has also increased by 10%, as you can see in the graph above.<\/p>\n<p>In upcoming releases, Firefox will show an in-context message when a user clicks into a username or password field on a page that doesn\u2019t use HTTPS.\u00a0 That message will show the same grey lock icon with red strike-through, accompanied by a similar message, \u201cThis connection is not secure. Logins entered here could be compromised.\u201d:<\/p>\n<div id=\"attachment_2178\" style=\"width: 332px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-2178\" decoding=\"async\" loading=\"lazy\" class=\" wp-image-2178\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/Login-with-warning2-252x191.png\" alt=\"Login form with Username and Password field; Password field shows warning\" width=\"322\" height=\"244\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/Login-with-warning2-252x191.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/Login-with-warning2.png 295w\" sizes=\"(max-width: 322px) 100vw, 322px\" \/><p id=\"caption-attachment-2178\" class=\"wp-caption-text\">In-context warning for a password field on a page that doesn&#8217;t use HTTPS<\/p><\/div>\n<p><strong>What to expect in the future<\/strong><br \/>\nTo continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don\u2019t use HTTPS, to make clear that they are not secure. As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.<\/p>\n<p>For more technical details about this feature, please see our <a href=\"https:\/\/blog.mozilla.org\/tanvi\/2016\/01\/28\/no-more-passwords-over-http-please\/\">blog post <\/a>from last year. In order to test your website before some of these changes are in the release version of Firefox, please install the latest version of <a href=\"https:\/\/www.mozilla.org\/en-US\/firefox\/channel\/desktop\/#nightly\">Firefox Nightly<\/a>.<\/p>\n<p><strong>Thanks!<\/strong><br \/>\nThank you to the engineering, user experience, user research, quality assurance, and product teams that helped make this happen &#8211; Sean Lee, Tim Guan-tin Chien, Paolo Amadini, Johann Hofmann, Jonathan Kingston, Dale Harvey, Ryan Feeley, Philipp Sackl, Tyler Downer, Adrian Florinescu, and Richard Barnes. And a very special thank you to <a href=\"https:\/\/matthew.noorenberghe.com\/\">Matthew Noorenberghe<\/a>, without whom this would not have been possible.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HTTPS, the secure variant of the HTTP protocol, has long been a staple of the modern Web. It creates secure connections by providing authentication and encryption between a browser and &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/\">Read more<\/a><\/p>\n","protected":false},"author":412,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[45517,282888],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Communicating the Dangers of Non-Secure HTTP - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tanvi Vyas, Peter Dolanjski\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/\",\"name\":\"Communicating the Dangers of Non-Secure HTTP - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning-252x115.png\",\"datePublished\":\"2017-01-20T19:05:51+00:00\",\"dateModified\":\"2017-01-20T19:32:38+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning.png\",\"width\":420,\"height\":192,\"caption\":\"Password Field with Warning Drop Down\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Communicating the Dangers of Non-Secure HTTP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143\",\"name\":\"Tanvi Vyas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/bd13e40bb691b46158cd2d4da792993d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g\",\"caption\":\"Tanvi Vyas\"},\"description\":\"Security\/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks\",\"sameAs\":[\"https:\/\/blog.mozilla.org\/tanvi\/\",\"https:\/\/x.com\/@TanviHacks\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Communicating the Dangers of Non-Secure HTTP - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/","twitter_misc":{"Written by":"Tanvi Vyas, Peter Dolanjski","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/","url":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/","name":"Communicating the Dangers of Non-Secure HTTP - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning-252x115.png","datePublished":"2017-01-20T19:05:51+00:00","dateModified":"2017-01-20T19:32:38+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/password-warning.png","width":420,"height":192,"caption":"Password Field with Warning Drop Down"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2017\/01\/20\/communicating-the-dangers-of-non-secure-http\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Communicating the Dangers of Non-Secure HTTP"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/94b89a1b3d28fe214eb7543734810143","name":"Tanvi Vyas","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/bd13e40bb691b46158cd2d4da792993d","url":"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9f4d447f27c116342ba41a747802372d?s=96&d=identicon&r=g","caption":"Tanvi Vyas"},"description":"Security\/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks","sameAs":["https:\/\/blog.mozilla.org\/tanvi\/","https:\/\/x.com\/@TanviHacks"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2153"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/412"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2153"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2153\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2153"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}