The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as “Not Secure” by default.
For example, the current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that’s normally used to signal the presence of encrypted HTTPS pages.
“HTTPS deployment is starting to get some momentum,” said Mozilla software engineer Richard Barnes. “We should start preparing for a shift toward marking non-secure sites as insecure (as opposed to marking secure sites as secure).”
“As a first step, let’s add a negative indicator for all non-secure sites, gated by a pref that’s off by default,” Barnes wrote in a feature request he made last year.
Hidden setting available in Firefox Nightly 59
Mozilla approved his request, and Firefox Nightly 59 now includes a hidden preference named “security.insecure_connection_icon.enabled” that when enabled will show the above strikethrough lock icon on all HTTP pages.
To enable this feature, users must navigate to the about:config settings section, search for the above preference, and double-click to enable it.
Since Barnes made his request last year, HTTPS adoption has grown even more. According to Let’s Encrypt data, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.
Currently, most security experts and UI designers believe it’s detrimental if a site would show a permanent…