info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to Ship: Show an indicator for insecure HTTP in the URL bar
201 views
Skip to first unread message
Johann Hofmann
Jul 16, 2019, 2:52:44 PM7/16/19
to dev-platform
(This was originally posted to both dev-platform and firefox-dev, but seems
to have gotten lost on dev-platform at least for some subscribers, so I'm
resending. Apologies if you've received this twice now.)
In desktop Firefox 70, we intend to show an icon in the “identity block”
(the left hand side of the URL bar which is used to display security /
privacy information) that marks all sites served over HTTP (as well as FTP
and certificate errors) as insecure.
This change is part of our new simplified security UI[1] that will ship in
Firefox 70 and is a continuation of our previous
<https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/>
efforts
<https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/>
to increase HTTPS adoption and communicate the dangers of insecure HTTP.
Over two years ago we started showing
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
this indicator for insecure pages with login forms, and announced our
intent to expand showing it for all HTTP pages as HTTPS adoption increases.
Telemetry tells us that almost 80% of pages
<https://letsencrypt.org/stats/#percent-pageloads> in Firefox are now
loaded over HTTPS. Research has shown
<http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>
that users don’t notice the lack of a positive indicator
<https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf>
when they are on insecure pages. Both Safari and Chrome have started showing
a "Not Secure" text for all HTTP pages
<https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/>
in their desktop browsers.
The bug where this change will be made is bug 1562881
<https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
Please let me know if you have any questions or concerns,
Johann
[1] We will soon publish a blog post showing the upcoming changes to our
security UI in 70 and the concept behind it
to have gotten lost on dev-platform at least for some subscribers, so I'm
resending. Apologies if you've received this twice now.)
In desktop Firefox 70, we intend to show an icon in the “identity block”
(the left hand side of the URL bar which is used to display security /
privacy information) that marks all sites served over HTTP (as well as FTP
and certificate errors) as insecure.
This change is part of our new simplified security UI[1] that will ship in
Firefox 70 and is a continuation of our previous
<https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/>
efforts
<https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/>
to increase HTTPS adoption and communicate the dangers of insecure HTTP.
Over two years ago we started showing
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
this indicator for insecure pages with login forms, and announced our
intent to expand showing it for all HTTP pages as HTTPS adoption increases.
Telemetry tells us that almost 80% of pages
<https://letsencrypt.org/stats/#percent-pageloads> in Firefox are now
loaded over HTTPS. Research has shown
<http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>
that users don’t notice the lack of a positive indicator
<https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf>
when they are on insecure pages. Both Safari and Chrome have started showing
a "Not Secure" text for all HTTP pages
<https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/>
in their desktop browsers.
The bug where this change will be made is bug 1562881
<https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
Please let me know if you have any questions or concerns,
Johann
[1] We will soon publish a blog post showing the upcoming changes to our
security UI in 70 and the concept behind it
Johann Hofmann
Jul 16, 2019, 3:13:06 PM7/16/19
to Dirkjan Ochtman, dev-platform
I tried embedding it in my email but email is apparently complicated, so I
also attached it to the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1562881#c8
Thanks for letting me know :)
On Tue, Jul 16, 2019 at 9:08 PM Dirkjan Ochtman <dir...@ochtman.nl> wrote:
> On Tue, Jul 16, 2019, 19:52 Johann Hofmann <jhof...@mozilla.com> wrote:
>
>> The bug where this change will be made is bug 1562881
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
>
>
> Is there a screenshot showing how it will change? I looked at the bug but
> didn't see anything there.
>
also attached it to the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1562881#c8
Thanks for letting me know :)
On Tue, Jul 16, 2019 at 9:08 PM Dirkjan Ochtman <dir...@ochtman.nl> wrote:
> On Tue, Jul 16, 2019, 19:52 Johann Hofmann <jhof...@mozilla.com> wrote:
>
>> The bug where this change will be made is bug 1562881
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
>
>
> didn't see anything there.
>
Johann Hofmann
Jul 16, 2019, 4:38:04 PM7/16/19
to Firefox Dev, dev-platform
In desktop Firefox 70, we intend to show an icon in the “identity block”
(the left hand side of the URL bar which is used to display security /
privacy information) that marks all sites served over HTTP (as well as FTP
and certificate errors) as insecure.
This change is part of our new simplified security UI[1] that will ship in
Firefox 70 and is a continuation of our previous
<https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/>
efforts
<https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/>
to increase HTTPS adoption and communicate the dangers of insecure HTTP.
Over two years ago we started showing
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
this indicator for insecure pages with login forms, and announced our
intent to expand showing it for all HTTP pages as HTTPS adoption increases.
Telemetry tells us that almost 80% of pages
<https://letsencrypt.org/stats/#percent-pageloads> in Firefox are now
loaded over HTTPS. Research has shown
<http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>
that users don’t notice the lack of a positive indicator
<https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf>
when they are on insecure pages. Both Safari and Chrome have started showing
a "Not Secure" text for all HTTP pages
<https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/>
in their desktop browsers.
(the left hand side of the URL bar which is used to display security /
privacy information) that marks all sites served over HTTP (as well as FTP
and certificate errors) as insecure.
This change is part of our new simplified security UI[1] that will ship in
Firefox 70 and is a continuation of our previous
<https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/>
efforts
<https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/>
to increase HTTPS adoption and communicate the dangers of insecure HTTP.
Over two years ago we started showing
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
this indicator for insecure pages with login forms, and announced our
intent to expand showing it for all HTTP pages as HTTPS adoption increases.
Telemetry tells us that almost 80% of pages
<https://letsencrypt.org/stats/#percent-pageloads> in Firefox are now
loaded over HTTPS. Research has shown
<http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>
that users don’t notice the lack of a positive indicator
<https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf>
when they are on insecure pages. Both Safari and Chrome have started showing
a "Not Secure" text for all HTTP pages
<https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/>
in their desktop browsers.
The bug where this change will be made is bug 1562881
<https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
<https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
Dirkjan Ochtman
Jul 16, 2019, 4:38:13 PM7/16/19
to Johann Hofmann, dev-platform
> The bug where this change will be made is bug 1562881
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1562881>.
Dirkjan Ochtman
Jul 17, 2019, 2:31:54 AM7/17/19
to Johann Hofmann, dev-platform
On Tue, Jul 16, 2019, 20:12 Johann Hofmann <jhof...@mozilla.com> wrote:
> I tried embedding it in my email but email is apparently complicated, so I
> also attached it to the bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1562881#c8
>
> Thanks for letting me know :)
>
Thanks!
> I tried embedding it in my email but email is apparently complicated, so I
> also attached it to the bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1562881#c8
>
> Thanks for letting me know :)
>
>
0 new messages