Chrome and Firefox Will Warn Users About Sending Sensitive Data Over Insecure Connections
Google and Mozilla are taking new steps to warn internet users about websites vulnerable to hacking. In the latest updates to the Chrome and Firefox web browsers (versions 56 and 51 respectively), users will be told if they’re submitting sensitive information over insecure HTTP connections — rather than the safer HTTPS protocol. These warnings have already been deployed in beta versions of the browsers, but their move to the primary version will reach a great number of users.
In Firefox 51, released this week, Mozilla has added a grey lock icon with a red strike through it on HTTP sites asking users for their passwords. Previously, the browser just showed no lock icon in these instances (and a green lock to indicate a HTTPS connection.) Clicking on the lock tells users: “Logins entered on this page could be compromised.”
In Chrome 56, rolling out over the coming days and weeks, the warning is more prominent and appears for HTTP sites asking not only for login information, but also credit card details. Like Mozilla, Google did not explicitly label HTTP connections as insecure in previous versions of its browser.
As noted by Chrome security engineer Emily Schechter, the old approach simply isn’t noticed by most users. “Studies show that users do not perceive the lack of a ‘secure’ icon as a warning, but also that users become blind to warnings that occur too frequently,” wrote Schecter last September. “In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”