Firefox follows in Chrome's footsteps and will mark all HTTP pages as 'not secure'

Mozilla will mark all HTTP pages as "not secure" starting with Firefox 70, to be released in October.

Firefox HTTP not secure indicator

Image: ZDNet

Starting with Firefox 70, set to be released in October this year, Mozilla plans to show a permanent "not secure" indicator for all HTTP websites in Firefox.

The decision was formally announced today by Mozilla engineers.

Mozilla now follows in Google's steps, who has been showing "not secure" labels on all HTTP websites since Chrome 68, released last year.

Until now, Mozilla was only showing "not secure" indicators on HTTP pages that contained forms or login fields.

80% of all internet pages are served via HTTPS

But today, Mozilla argued that since more than 80% of all internet pages are now served via HTTPS, users don't need a positive indicator for HTTPS anymore, but a negative one for HTTP connections.

"In desktop Firefox 70, we intend to show an icon in the 'identity block' (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure," said Firefox Developer Johann Hofmann.

This change didn't come out of the blue, though. Mozilla began working on it since December 2017, when it added flags in the Firefox about:config section.

Those flags are still present in the current stable version of Firefox, and users can enable them right now and preview how these indicators will look starting this fall.

The flags are:

security.insecure_connection_icon.enabled - show a broken lock on HTTP sites
security.insecure_connection_text.enabled - show the "not secure" text on HTTP sites
security.insecure_connection_icon.pbmode.enabled - show a broken lock on HTTP sites in Private Browsing
security.insecure_connection_text.pbmode.enabled - show the "not secure" text on HTTP sites in Private Browsing

Firefox HTTP not secure flags

Image: ZDNet

The end result is very similar to how Chrome currently marks all HTTP pages (see image below).

Chrome HTTP not secure indicator

Image: ZDNet

More browser coverage: