Affecting Non-HTTPS sites containing login form will be marked insecure (currently only on Nightly, Developer Edition and early Beta)

Published: | Categories: Privacy & Security


Firefox now shows a broken padlock icon on the Address Bar when the current page has <input type="password"> while the connection is not secure. Not only the page the password will be sent but also the page the login form presents must use the HTTPS protocol to protect user credentials from remote attackers.

Although this functionality is currently enabled only on Firefox Nightly and Developer Edition, webmasters may want to avoid such an embarrassing situation. No budget for a TLS certificate? Don’t worry. From November 2015, Let’s Encrypt, a new certificate authority run by Mozilla and others, gives you a trusted certificate for free.

Read Tanvi Vyas’ blog post for details.

Update: This feature has been enabled on the early Beta versions of Firefox 50 as well to collect more feedback from users.

Update 2: As of Firefox 51, the warning is enabled by default on all channels including the Release version.