Firefox May Soon Start Publicly Shaming Sites With Crappy Security

In the constant battle to ensure your privacy online, there are some precautions you can take to protect yourself, such as avoiding clicking random links and using different passwords for every site. But other measures require some help from the websites you visit, and based on a hidden option found in the latest Firefox beta, Mozilla may start publicly shaming websites that are still clinging on to HTTP.

Anytime you visit a site using HTTP (instead of HTTPS), data sent between your computer and the web server is insecure, as opposed to HTTPS which uses SSL certificates to create an encrypted connection between two points. That means sensitive info like login credentials or credit card numbers can be captured by hackers looking to steal your data. To make matters worse, SSL certificates aren't very expensive, costing about $US50 ($65) or less per licence, which means there aren't a lot reasons why big organisations such as the BBC, IMDB, Bing, The Daily Mail, and others don't use it.

To help spur greater adoption of HTTPS, Mozilla has included a hidden option in the latest edition of Firefox Nightly (version 59) that labels all sites still using HTTP as "Not Secure." This would be a clear notice to all people visiting insecure sites that their data is at risk. As Bleeping Computer points out, Firefox engineer Richard Barnes proposed the idea in a post on the Mozilla forums last year: "We should start preparing for a shift toward marking non-secure sites as insecure (as opposed to marking secure sites as secure)."

If you want to enable the option yourself, open Firefox Nightly's settings menu and search for "security.insecure_connection_icon.enabled" and then double click the option to set the value to true.

Other browsers including Chrome already do this to a certain extent, by tagging websites that use HTTPS as "Secure," while marking websites that use HTTP with a subtle warning icon. However, only when browsing in Incognito mode does Chrome clearly tag sites using HTTP as "Not Secure."

And if the security concerns weren't enough for site owners, way back in 2014, Google announced that it would start using HTTPS as a signal in its search ranking algorithms, meaning sites still using HTTP would be harder to find, and thus potentially impacting traffic and revenue for domains that have yet to switch over.

[Bleeping Computer]