Your web browser makes connections to servers (fancy word for other computers connected to the internet) so it can fetch all of the text and images that make up the websites you view. It transfers this data using something called Hypertext Transfer Protocol (HTTP). It is the primary way the internet handles data being transferred between computers.
This method of transferring data allows anyone (other computers on the same WiFi network, your ISP, and countless others) between your computer and the computer that stores the website you’re viewing to see and store all transferred data. For example, when you fill in a form with your username and password and click “login”, that information is visible to others. You never want to use a website that is handling sensitive information insecurely like this (e.g. your bank).
The introduction of HTTPS (the “S” stands for Secure) stopped this from being possible by encrypting (fancy word for making something virtually impossible to read) the data while it’s being transferred. Browsers communicate this form of security by displaying a padlock icon next to the website address that you are viewing. If there’s no icon or an icon with a cross through it then any data being transferred will be readable by others.
Thankfully the vast majority of websites now use the secure method instead. For those that don’t, you can ensure that Firefox attempts to “force” the site to use the secure method and, if that doesn’t work, display a very prominent message warning you of the danger if you proceed without it.
In Firefox, copy this text, paste it into the address bar, and hit the return key:
about:preferences#privacy. Scroll to the HTTPS-Only Mode section at the bottom of the page.
Select the first option, “Enable HTTPS-Only Mode in all windows”.
Now any website you visit that is using the old and insecure method of transferring data will not load unless you explicitly allow it to, by clicking the button at the bottom labelled, “Continue to HTTP Site”. It’s OK to load these sites, just don’t login to anything or fill in other forms unless you’re OK with other people having that information. If your bank website displays this warning, there’s a good chance you’re viewing a site pretending to be your bank. Double check the address!
If you frequently visit an insecure site, you can turn off “HTTPS-Only Mode” for that specific site. Just click the padlock icon next to the address bar and change the dropdown menu to “Off”. Now you won’t get the warning for that site, but still get it for all others.
HTTPS doesn’t make all of your web traffic unreadable to other computers. Others can still see the addresses you visit but they can’t see the content of those addresses (information on the pages and in the forms you send).
See how well you're doing and learn how to improve in other privacy & security areas The Privacy Checkup.