(credit: Moyan Brenn)
Firefox 51, released today, and Chrome 56, currently due for release next week, have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS.

Firefox, Chrome start calling HTTP connections insecureHow Firefox will alter the address bar for HTTP pages with password forms.

The non-secure labelling will occur on pages delivered over HTTP that include forms.
Specifically, pages that include password fields, and in Chrome, credit card fields, will put warnings in the address bar to explicitly indicate that the connection is not secure.
One somewhat common older development practice was to place the password field on a page delivered by HTTP, with the form submitted to a location protected by HTTPS.

This offers little security in practice, however. Pages delivered by HTTP can be readily modified by eavesdroppers, meaning that an attacker could simply choose to submit the password data to a destination of their choosing, instead of the intended HTTPS location.
Read 2 remaining paragraphs

Leave a Reply