Mozilla removing favicons in Firefox due to security risk

By on April 24, 2012, 5:00 PM

Mozilla has deemed favicons a security risk and will be doing away with the tiny graphics in Firefox. The organization has already made the change on the most recent nightly build with plans to implement it to the release channel come mid-July.

Introduced in 1999 by Microsoft, the favicon, short for Favorite Icon, is typically a 16 x 16 pixel graphic that is associated with a particular website. A site owner can load a custom favicon that represents his or her website as a visual reminder to the user alongside the address bar or on tabs next to the page title.

The problem, Mozilla says, is that some malicious site owners are using images of a padlock as their favicon which gives the impression of a secure connection. This could potentially trick less Internet savvy users into thinking the site is safe to transmit personal data over when in fact, it isn’t.

Mozilla has decided to ditch custom favicons in favor of a new system. In place of the custom favicon, users will see a generic globe icon when visiting an unsecure website while a grey padlock signifies a site with SSL certificates without Extended Validation and a green padlock for sites with SSL certificates and Extended Validation.

There are no plans to remove favicons from tabs, bookmarks or Awesomebar suggestions, only the ones found in the address bar. The move is also said to reduce some of the visual weight, although I’m not sure how replacing custom favicons with their own icons will accomplish this.




User Comments: 18

Got something to say? Post a comment
Xero07 said:

Should of mentioned it only applied to the address bar sooner. Samfind utilizes these pretty well in its bookmarks toolbar and I would hate to see them completely go.

Guest said:

typical mozilla, removing features instead of fixing the actual problem. the actual problem of course being their shoddy user interface.

LazyNinja said:

Should of mentioned it only applied to the address bar sooner...

Agreed, I almost had a heart attack. I don't care about the address bar favicons but don't touch my tab/bookmark favicons!

gwailo247, TechSpot Chancellor, said:

"The problem, Mozilla says, is that some malicious site owners are using images of a padlock as their favicon which gives the impression of a secure connection. This could potentially trick less Internet savvy users into thinking the site is safe to transmit personal data over when in fact, it isn?t."

I think that those less savvy internet users will be tricked by a lot of other things if they think that a simple HTTPS connection makes a site safe to give personal info to. Personally I think that getting your credit card jacked may not be such a bad thing if it makes you more aware of the risks of the internet, and you'll learn to be safe before you get stalked, or one of your kids gets abducted.

Guest said:

Should have been done a long time ago.

Staff
Jesse Jesse said:

Hasn't Chrome done this for a while now?

spectrenad said:

Should of mentioned it only applied to the address bar sooner...

Agreed, I almost had a heart attack. I don't care about the address bar favicons but don't touch my tab/bookmark favicons!

same here :o

psycros psycros said:

Gee, Mozilla, maybe you might consider making a <b>user preference</b> that's simply disabled by default? Or have you become Microgoogleapple??

doradhorror said:

That's pretty funny.

VitalyT VitalyT said:

That's just stupid, FF. Instead, they should present the security information differently, so it creates no confusion. Favicon is an awesome feature on the web, and who is FF after all to decide to dump it, give people more incentive to dump FF. Cheers!

nigel said:

One thing that Mozilla also mentioned - and will still be there is that with extended validation you will still be able to see who owns the site. That level of information should make more sites use Extended Validation certificates rather than the US$9.99 ones that we all can buy

Guest said:

Got to love the commentors who clearly didn't read the entire article. Anyways I wondered why Chrome was like this already... now it makes sense. Good job Mozilla but something so simple should have already been implemented long ago...

Guest said:

Opera already does this too btw (Using Opera 11.62 stable on Win7 here).

Guest said:

Silly reasons for doing this - but who cares...

Marnomancer Marnomancer said:

As long as it increases security, I'm happy. Absolutely no problem.

Guest said:

Looks like everyone is still trying to catch up with Opera! Opera figured this out some time ago. Seems Opera is the only browser that's really on the ball.

Guest said:

this change deserves to be applauded because it makes the net surfing by a common user much less prone to phishing attacks and scams. even though it may by itself not make web browsing more secure as such. if need be i would recommend giving the net savvy user an option to enable the favicon feature. however this may sometimes make a friend or a family member make an error if he or she is using that net savvy persons pc with the favicon option enabled.

dotVezz said:

I'm all for this, to be honest. They're preserving the feature where it really matters: In tabs and bookmarks. And the logic makes perfect sense.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.