Skip to main content

Chrome and Firefox will warn users about sending sensitive data over insecure connections

Chrome and Firefox will warn users about sending sensitive data over insecure connections

/

HTTP ain’t worth it my friends

Share this story

Sensitive data can include credit card information
Sensitive data can include credit card information
Matt Cardy/Getty Images

Google and Mozilla are taking new steps to warn internet users about websites vulnerable to hacking. In the latest updates to the Chrome and Firefox web browsers (versions 56 and 51, respectively), users will be told if they’re submitting sensitive information over insecure HTTP connections — rather than the safer HTTPS protocol. These warnings have already been deployed in beta versions of the browsers, but their move to the primary version will reach a great number of users.

In Firefox 51, released this week, Mozilla has added a gray lock icon with a red strike through it on HTTP sites asking users for their passwords. Previously, the browser just showed no lock icon in these instances (and a green lock to indicate a HTTPS connection). Clicking on the lock tells users: “Logins entered on this page could be compromised.”

The HTTP warning in Firefox
The HTTP warning in Firefox

In Chrome 56, rolling out over the coming days and weeks, the warning is more prominent and appears for HTTP sites asking not only for login information, but also credit card details. Like Mozilla, Google did not explicitly label HTTP connections as insecure in previous versions of its browser.

The HTTP warning in Chrome 56 compared with a previous version
The HTTP warning in Chrome 56 compared with a previous version

As noted by Chrome security engineer Emily Schechter, the old approach simply isn’t noticed by most users. “Studies show that users do not perceive the lack of a ‘secure’ icon as a warning, but also that users become blind to warnings that occur too frequently,” wrote Schecter last September. “In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as ‘not secure’ in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”

-Via Ars Technica