The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep.

Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit. 

Firefox Nightly and Developer Edition Security Indicator


To inform you of the threat described above, Firefox Developer Edition will display a lock icon with a red strike-through in the address bar when a login page does not have a secure connection, as seen below.

http://people.mozilla.org/~tvyas/insecure_password_images/insecure-password-security-ui.jpg

Note that is warning in the url bar is only in Firefox Nightly and Firefox Developer Edition.  This has not been released to Firefox Beta and Firefox Release.  Warnings about insecure login froms can also be found in the security pane of the Web Console in all Firefox releases, as described below.  For more information and a list of frequently asked questions, reference this blog post.

Password Reuse


Sometimes websites require username and passwords, but don't actually store data that is very sensitive. For example, a news site may save which news articles a user wants to go back to and read, but not save any other data about a user. Web developers of the news site may be less motivated to secure their site and their user credentials. Unfortunately, password reuse is a big problem. Users use the same password across multiple sites (news websites, social networks, email providers, banks). Hence, even if access to the username and password to your site doesn't seem like a huge risk to you, it is a great risk to users who have used the same username and password to log in to their bank accounts. Attackers are getting smarter; they steal username/password pairs from one site, and then try reusing them on more lucrative sites.

Web Console Messages
 

Serving the login form over HTTP:

Even if the form action is an HTTPS URL, the user's login form is not protected because an attacker can modify the page received by the user (for example, attackers can change the form destination to post the sensitive data to a server that they control, or they can insert a keylogging script that swipes their password as they type it). The security tab of the Web Console will warn developers and users about the security issue:

Login fields on an insecure page

Using an HTTP URL in the form action:

In this case, any data the user enters is sent through the network in cleartext. The user's password is clearly visible to anyone sniffing the network from the time the password leaves the user's computer to the time it reaches your website's servers.

Login fields on a form with an http:// action

Document Tags and Contributors

 Last updated by: esserj,