Firefox, Chrome start calling HTTP connections insecure
Firefox 51, released today, and Chrome 56, currently due for release next week, have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS.
How Firefox will alter the address bar for HTTP pages with password forms.
The non-secure labelling will occur on pages delivered over HTTP that include forms. Specifically, pages which include password fields, and in Chrome, credit card fields, will put warnings in the address bar to explicitly indicate that the connection is not secure. One somewhat common older development practice was to place the password field on a page delivered by HTTP, with the form submitted to a location protected by HTTPS. This offers little security in practice, however. Pages delivered by HTTP can be readily modified by eavesdroppers, meaning that an attacker could simply choose to submit the password data to a destination of their choosing, instead of the intended HTTPS location.
The non-secure label should provide stronger encouragement to developers to reduce their use of HTTP and make the switch to HTTPS whenever sensitive data is being handled. Google's approach is arguably a little clearer than Firefox's; where Firefox will use a padlock icon with a red line striking it through to indicate that a connection isn't secure, Chrome will explicitly put "Not secure" in the address bar.