SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
27 Jan 2017

Firefox, Chrome start calling HTTP connections insecure

Firefox 51, released today, and Chrome 56, currently due for release next week, have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS.

As luck would have it, Chrome 56 was released while I was writing, and is out now. Rollouts are staggered, so systems should see the update over the next few days. The non-secure labelling will occur on pages delivered over HTTP that include forms.

Specifically, pages that include password fields, and in Chrome, credit card fields, will put warnings in the address bar to explicitly indicate that the connection is not secure. One somewhat common older development practice was to place the password field on a page delivered by HTTP, with the form submitted to a location protected by HTTPS. This offers little security in practice, however.

Pages delivered by HTTP can be readily modified by eavesdroppers, meaning that an attacker could simply choose to submit the password data to a destination of their choosing, instead of the intended HTTPS location.

The non-secure label should encourage to developers to reduce their use of HTTP and make the switch to HTTPS whenever sensitive data is being handled. Google's approach is arguably a little clearer than Firefox's; where Firefox will use a padlock icon with a red line striking it through to indicate that a connection isn't secure, Chrome will explicitly put "Not secure" in the address bar.

Further work is planned in both browsers to highlight the use of HTTP. A future version of Firefox will include a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP, and Mozilla plans to use the struck through padlock icon for every HTTP page. Similarly, Google intends to eventually include the "Not secure" message in the address bar for all pages delivered over HTTP, whether they contain passwords or not.

Tags:
HTTP data protection
Source:
Ars Technica
1723
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015