Yeah, there's a team working on this stuff (and they/we have been in
touch with the Chrome people for a long time) and this is not a call we
should make on a mailing list. There's a valid concern around warning
fatigue (plastering so many sites with "Insecure" that users easily
dismiss it) and we made those prefs to be able to run user studies on it.

I believe the original question was whether there are any blockers to
shipping this in Firefox right now. Technically? No. We should still
give product the chance to take a good look at the potential impact and
how it works in our design concept and not make this a race to the moon.



Jonathan Kingston wrote:
> Hey,
> So we have two issues here:
> - We have less testing on security.insecure_connection_text.enabled
> - security.insecure_connection_icon.enabled is a lot heavier handed as MT
> notes and also we use this for insecure passwords too.
> We also have the pbmode variants if we wanted both enabled when in Private
> Browsing mode.
> We are discussing the impact of shipping the "Not Secure" text with product
> at the moment which is likely much safer to ship right now.
> Thanks
> Jonathan
> On Fri, Feb 9, 2018 at 2:02 PM, Tom Schuster <> wrote:
>> If you flip just security.insecure_connection_text.enabled and not
>> security.insecure_connection_icon.enabled you get Chrome's behavior.
>> Flipping both gives you the broken lock and the "Not Secure" text. I
>> don't see a big difference there and I hope we can ship this as soon
>> as possible.
>> On Fri, Feb 9, 2018 at 1:55 AM, Martin Thomson <> wrote:
>>> +ffxdev
>>> There's a tangible difference between text saying "Not Secure" and a
>>> broken lock icon.  I think that we're close, but we'd be making a
>>> stronger statement than Chrome if we did this.
>>> On Fri, Feb 9, 2018 at 8:17 AM, Chris Peterson <>
>> wrote:
>>>> Chrome will start marking HTTP pages as "Not secure" in July 2018
>> (Chrome
>>>> 68):
>> here-to-stay.html
>>>> Firefox has a similar insecure HTTP warning icon, currently disabled by
>> the
>>>> `security.insecure_connection_icon.enabled` pref added in bug 1310447.
>>>> Are there any blockers for Firefox shipping this feature?
>>>> _______________________________________________
>>>> dev-platform mailing list
>>> _______________________________________________
>>> firefox-dev mailing list
>> _______________________________________________
>> dev-platform mailing list
> _______________________________________________
> dev-platform mailing list
dev-platform mailing list

Reply via email to