New: Firefox warns of login forms on non-HTTPS pages

18 February 2016

Firefox has displayed security alerts in Browser Console since Firefox Version 26 when an URL with a password field was opened across an http link:

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

This is a clear sign that your service provider does not care of security. Since the continuous back and forth between browser application and the console is really annoying, this function was rarely used.

With the latest Version 44 Firefox displays a notification in the URL bar if you open a URL with a password field across an unsecured HTTP connection.

For configuration:

  • Open URL about:config in Firefox
  • Approve the warning that you will be careful when changing settings.
  • Set the value of the security.insecure_password.ui.enabled preference to true if you want to be warned about non-secure login pages

With this Firefox displays a pad lock with a red slash if Firefox opens a page with password field across an insecured connection:

FireFox warns of password field on insecure page

Firefox warns of password field on insecure page

Take care, and enjoy the new security feature.