The heart of tech

This article was published on October 21, 2015


Firefox is testing marking any page that sends passwords over HTTP as insecure

Firefox is testing marking any page that sends passwords over HTTP as insecure
Owen Williams
Story by

Owen Williams

Former TNW employee

Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

A huge, but simple change in the latest Firefox Nightly build is a great step forward for the Web.

The browser now marks sites that show password fields but aren’t sent over HTTPS as insecure. A warning, with crossed out lock will appear in the address bar and explain that your credentials may be compromised if sent.

Screen Shot 2015-10-21 at 11.16.02 AM
Firefox explaining why not to send your password over HTTP

When clicked on, Firefox now provides further information about why the site is considered insecure, saying that “information sent over the internet without encryption can be seen by other people.”

It’s a bold move, since that insecure label is traditionally reserved for invalid security certificates, but this is an even better way to let people know that the page isn’t trying to keep passwords safe at all.

The feature is only in testing as part of Firefox 44 Nightly right now, but we’re hopeful it’ll be rolled out to everyone in the future.

Spotted via Richard Barnes on Twitter.

Also tagged with