Does FireFox Have Permission to Indicate Your Site is Not Secure?
I found a very funny bug posted to the Firefox team.
A technical lead for website complained they were displaying a warning telling visitors that the site was insecure as it had a password field on the page.
The complainer said the Firefox did not have permission to display a warning saying their site was insecure. Of course, Firefox, Chrome and other browsers display these mornings when your site doesn’t implement HTTPS and has at least a password field on the page.
The complainer continues to go on and say that they have a very robust security system that has worked for years and never had a problem.
I love the response the Mozilla technician gave:
When your site requests a user's password over HTTP, the transmission of these passwords is done in the clear. As such, anybody listening on the network would be able to record those passwords. This puts not just users at risk when using your site, but also puts them at risk on any other website that they might share a password with yours. These warnings are standard behavior in Firefox 51 and Chrome 56. To prevent this error from occurring, please install a digital certificate (HTTPS) on your website. There are many free and low-cost providers to available.
In short, the Mozilla support engineer explains why the site is insecure. If the complainer understood web security, would know about clear text transmission.
Just a review, when you don’t use HTTPS all text is transported back and forth in plain clear text. It is easily accessible on the network, whether it’s Wi-Fi or fixed wire to hackers.
Mozilla, Chrome and other browsers had been warning developers and devops teams for quite some time now about their plans to get more aggressive in displaying the security warnings. In fact, Mozilla posted of an announcement as they rolled out this feature in January. It goes into details as to why they are doing this.
The complainer needs a quick primer on how HTTPS works. If you are not aware it creates an encrypted layer around all the packets going to and from your server and the browser. There are integerity checks on both ends to ensure the packets were not tampered with by a man in the middle. Because HTTPS provides a secure transport layer browsers unlock many modern APIs, like service workers, so you can make your web experience awesome.
Implementing HTTPS is not as hard these days. Certificates cost nothing or are very low cost depending on the type of certificate you need. Most websites only need a domain validated certificate, which are typically free or possibly $10-$15 a year. Certificates are not as hard to install as they once were, illuminating another very or two installing HTTPS.
I did find it funny, when I went to view the site mentioned in the complaint, it wasn’t there. As you can see it has a rich search engine listing, indicating it was a real site. However, when I visited the site, either the domain expired, Network Solutions had reclaimed it, or possibly a hacker had taken it over. The latter being the most ironic.
It’s hard to say why the site is no longer online. However, it has not been that long since the bug was filed, which makes this even stranger.
Quick fact, right now about 2.5% of all websites implement HTTPS. The chart posted on the Mozilla blog post indicates roughly 50% of page visits use HTTPS. If you look at the graph, they are displaying the number of page visits using FireFox.
I think this makes the case even more for implementing HTTPS. Customers tend to not visit sites that don’t implement HTTPS. Since the majority of sites are not HTTPS, they are not being tracked by FireFox. There is the actual number of unique web sites, I have seen recent estimates of 1.1 billion, and the pages commonly visited. Two distinct, different statistics.
It is in your best interest to implement HTTPS today. I challenge you to join me in trying to make that number flip to 97.5% of websites supporting HTTPS by the end of the year. I know that’s a big goal but I think we can spread the word and encourage everyone to add HTTPS support to their site.
Watch me talk about this topic on our YouTube channel: