A few days ago, Firefox made announcements stating that starting from Firefox 70, which is planned to release in October this year, the browser will make two new changes favoring users and keeping them secure. First, it will notify users if their saved logins were part of any data breach. Secondly, it will prompt users if the web page they have landed on is not secure.
Notifying users of saved logins that were a part of the data breach
Firefox has partnered with popular data breach site, Have I Been Pwned, to notify users if their saved logins were found in data breaches. To start with, Firefox will scan the saved login credentials to see if they were exposed in a data breach listed on Have I been Pwned. If one is found, the user will be alerted and prompted to change their password. To support this, Mozilla will be integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into the Firefox browser.
Mozilla will add an alert icon next to the account profile in Firefox Lockwise, detected as being part of a breach. Clicking on the saved login will open its subpanel that displays an alert that the “Passwords were leaked or stolen” as part of a data breach.
Compromised Password Notification in Firefox Lockwise
Users will also be provided a “protection report” highlighting data breaches instances their logins were involved in. The current Firefox 69 Nightly builds includes a mockup of the ‘Protection Report’, which will list the type and amount of tracking and unwanted scripts that were blocked over the past 7 days. This mockup report is a mockup and not actual data from your browser.
Mozilla to set up “not secure” indicators for all HTTP web pages
Mozilla also announced that it will show a “Not secure” indication for all the websites in Firefox, starting with the Firefox 70. As we know, Google already has this feature activated on its browser starting with Chrome 68, which was released last year.
Prior to this announcement, Mozilla used to indicate “not secure” only on HTTP pages that contained forms or login fields. “Mozilla argued that since more than 80% of all internet pages are now served via HTTPS, users don’t need a positive indicator for HTTPS anymore, but a negative one for HTTP connections”, according to ZDNet.
Firefox Developer Johann Hofmann said, “In desktop Firefox 70, we intend to show an icon in the ‘identity block’ (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure“.
Mozilla started working on these developments way back in December 2017, when it added flags in the Firefox about:config section. These “flags are still present in the current stable version of Firefox, and users can enable them right now and preview how these indicators will look starting this fall,” according to ZDNet.
Sean Wright, and infosec researcher told Forbes, “This is an excellent move by Mozilla and a step in the direction to have a secure by default web”. He also added, many do not realize the potential implications of using sites over HTTP.
“Even publicly accessible sites, even as simple as a blog, could potentially allow attackers to inject their malicious payloads into the site severed to the client. HTTPS can go a long way to prevent this, so any move to try to enforce it is a step in the right direction,” he further added.
Wright has also warned the users that if you see you are browsing via an HTTPS site, it does not mean it is fully authentic. These sites may also be phished as hackers can purchase the certificates that mark a website as “secure”. Hence, a user has to be cautious while sharing their credentials online. He warns: “You should still pay close attention to links in emails.”