If there is a login section on your site, then you want to switch to HTTPs. If you haven’t done so yet, then you need to. Firefox is now giving you more of an incentive to do it.
If there is a form on your site with a field type=”password” on HTTP site, then it will be marked as insecure.
PSA: In Firefox 44 Nightly, “http:” pages with <input type=”password”> are now marked insecure. pic.twitter.com/qS9LxuRPdm
— Richard Barnes (@rlbarnes) October 20, 2015
This particular change will make all users more aware of the dangers of submitting their passwords on an HTTP site as soon as it makes it to the current version of Firefox.
Each HTTPs/TLS connection will be able to show you more information within the security panel on Firefox Nightly. This particular warning will be shown on HTTP sites where there isn’t a security panel within the inspector.
If you hover over this warning, you will be able to see more information on why the red indicator has been shown:
Firefox has done this after several discussions about making HTTP connections automatically insecure by default. It is good UX to show the insecure sites where it makes a difference.
Yes, having HTTPs everywhere would be a great idea. Eavesdropping and compromised privacy are the most important motivators, security just happens to be a nice side effect of this.
Since not every site has a login section where a password can be stolen, simply considering all HTTP connections insecure would not really be a good idea. It would just train the users to see that as the new normal thing.
There are now various ways to mark a connection as insecure besides just the usual way, such as expired SSLs, in multiple browsers.