Firefox 51 starts flagging HTTP login pages as insecure

Mozilla has released Firefox 51 on Tuesday, and this latest stable version of the popular browser comes with many security fixes and improvements.

The list of security vulnerabilities fixed is considerable – five critical, six high, ten moderate and three low impact issues have been nixed.

Among the critical ones is an excessive JIT code allocation vulnerability that could allow attackers to bypass ASLR and DEP security protections. The update also closed two vulnerabilities that could allow malicious extensions to install additional extensions without explicit user permission and mess with pages loaded by other web extensions, respectively.

Firefox 51 security improvements

Some of the new features, changes and improvements added to the browser will also help keep users secure.

For one, Firefox will no longer accept SHA-1 certificates issued by public CAs, and new certificates issued by the WoSign and StartCom Certificate Authorities. If you’re interested in why Mozilla’s CA team has lost confidence in the ability of these two companies to competently discharge the functions of a Certificate Authority, you can check out this explanation.

Secondly, Firefox will now explicitly highlight HTTP login pages as insecure by displaying a lock icon with red strike-through in the address bar:

And this is just the beginning.

“In upcoming releases, Firefox will show an in-context message when a user clicks into a username or password field on a page that doesn’t use HTTPS. That message will show the same grey lock icon with red strike-through, accompanied by a similar message,” security engineer Tanvi Vyas and product manager for Firefox Peter Dolanjski recently explained.

In time, the lock icon with red strike-through will be displayed for all pages that don’t use HTTPS, and not just HTTP login pages.

Firefox 51 is available for for Windows, Mac, Linux, and Android. Mozilla has also updated Firefox ESR to version 45.7.