When browsing the web, your computer can communicate with websites through two different protocols: HTTP and HTTPS. HTTPS is the safer version of HTTP, with the “S” standing for “secure.” Whether a website is configured to communicate with its users securely or not is up to the site administrator.
On certain websites, you may notice Mozilla Firefox or another modern browser indicating that “your connection is not secure.” This basically means that the website is using HTTP instead of HTTPS. Whether a site is using HTTP or HTTPS will always be indicated by the padlock symbol next to the URL of a site.
In this guide, we’ll go over this security warning, talk about the seriousness of it, and give some tips for how you can protect yourself when browsing the web with Firefox on a Linux system.
In this tutorial you will learn:
- Why are some sites still using HTTP?
- Why is it important for sites to use HTTPS?
- What can I do to protect myself when browsing a site with HTTP?
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | Mozilla Firefox |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Why are some sites still using HTTP?
There was a time when the vast majority of sites used HTTP, and it would actually cost money for a website to opt for HTTPS from a reputable certificate authority. This is no longer the case, with HTTPS becoming free and extremely widespread over the last decade.
Like everything in the tech world, adoption of new standards is never instant or absolute. There are still quite a few websites using HTTP. And in the last few years, Firefox and other browsers have begun to issue big, noticeable warnings to their users when they arrive to an HTTP website.
As a website administrator, there’s not really any reason to not run HTTPS. For someone new to setting up websites, maybe it’s a small hurdle that they haven’t bothered dealing with yet. For bigger websites that are run by professionals, there’s definitely no excuse. But there are still tons of websites using Flash, Java, and other insecure mediums to deliver content to users, and HTTP is just another on the list.
Why is HTTPS important?
HTTPS encrypts your communications with a website. If you are entering your login information or credit card number into a website, that information will cross your network and can be picked up by anyone with the tools to listen. However, attackers will only see gibberish (encrypted packets) if the website you’re on is utilizing HTTPS. You should never enter sensitive information into a website running HTTP.
Okay, so what about static websites that are just displaying public information?
The threat with static sites is far less alarming, but even your connection to these sites is vulnerable. As long as your traffic remains interceptable (thanks to HTTP and a lack of HTTPS), attackers can use man in the middle attacks to insert their own content into a website.
For a practical example, there have been cases where internet service providers insert their own JavaScript on insecure pages in order to serve ads on websites they aren’t even associated with. Without HTTPS, your ISP and the owner of a Wi-Fi hotspot (in a hotel, for example) can use deep packet inspection to intercept and modify the contents of web requests.
That’s why HTTPS is so important, and why Firefox goes out of its way to warn you that you’re browsing a site with HTTP.
Protect yourself while browsing
Clearly, the best protection is to simply avoid sites that use HTTP, but this isn’t always feasible. When browsing HTTP sites at home, on your own secured Wi-Fi, there probably isn’t much risk – although this may depend on your country, as there’s been some scary stuff that government owned ISP’s have done in the past.
You could install the HTTPS Everywhere add-on for Firefox. It works by opting for HTTPS connections on sites that support both HTTP and HTTPS. For example, check out the screenshot below where we have two connections to the same website – one secure and one not.
Aside from this, you’re left with simply avoiding HTTP sites and using common sense if it’s necessary to visit one. Read our guide on protecting your privacy with Firefox for some additional tips.
Closing Thoughts
In this guide, we learned about the “your connection is not secure” message from Firefox, why it matters, and what can be done to protect your connection when browsing the web. As always, you should be careful when browsing the web and avoid questionable websites – including those that insist on HTTP. Try using the HTTPS Everywhere add-on to minimize your exposure to HTTP even further.
