Mozilla plans to phase out non-secure HTTP

Last night Mozilla announced on The Mozilla Security Blog: Deprecating Non-Secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Governmentcalling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.

While they don’t specify in details as to “removing capabilities from the non-secure web”, a broad assumption would be anything that allows users to provide information. This could included the obvious such as payment processing and site logins (which should already be using an HTTPS connection anyway), but could also include submission forms, bulletin boards, blog comments, etc. Most drastic would be Firefox would not display a site (such as this blog) over regular HTTP.

Now before I continue I believe it might helpful to explain what HTTPS actually is/does. All HTTPS does it encrypt the connection between you and the web server. That means if someone intercepts the transmission between Firefox and the web server, they are not going to be able to see (technically the can see what is transmitted but it will be encrypted or scrambled, so it is of no use to them) what is being sent from your computer to the website’s server. This is good when sending sensitive information (credit card numbers, social security numbers, date of birth, etc.), but not so good if you want to post cat videos on your favorite message board site. HTTPS has nothing to do with encrypting that data once it reaches and is stored on the server, that is the responsibility of the website owner and their hosting provider.

There has been major backlash in the comments in regards to this proposal. The biggest complaint is this going to hurt the web as many small sites, that have no real reason to be using an HTTPS connection. Furthermore, there is a major cost and time involved in making a site use an HTTPS connection. You need to purchase and apply for an SSL Certificate for each site. That is fine if you are running these sites on your own server, but not for folks like myself using shared hosting. I can host as many sites as I want for $7 a month, however only one site can have an SSL.

I don’t use HTTPS on this site or any of the others I manage. There is no need to…other than for the admin login. There is no need to have an HTTPS connection when readers submit their comments. Go Firefox! would be another example of where this is going to cause troubles. The message board platform software used by Delphi Forums uses an HTTPS connection only when logging in and then once logged in the rest of the site is over regular HTTP. Even when users post content it is over a regular HTTP connection. The user’s don’t care if someone intercepts the transmission which is a link to a cat video.

So what does this mean to me as a Firefox user? At this point being still in the very early stages of this proposal it is unclear. What a lot of people foresee happening is in the future sites they normally visit and use, will be broken (either partially or completely) when using Firefox. So when that happens, people are going to switch to another browser (IE, Opera, Chrome, Safari, Pale Moon, Vivaldi, etc.) and dump Firefox (if they haven’t already after the Australis interface was introduced).

Another issue I could see with this involves the Certificate Authority (CA) which is an entity issuing digital certificates for secure communications. The developers are going to start paying for certificates from the CA so their sites will still work with Firefox. But what happens when the CA they were using does something unethical or refuses to provide audit records and gets blacklisted by Mozilla (as was the case with e-Guven and CNNIC)? Now the developer is out the money for the certificate (possibly costs for installation on their server) and now their site is broken in Firefox. They will now need remove the certificate (possibly at an additional cost), obtain (buy) a new certificate from a “trusted” CA and install (or have it done for them) that certificate on the server.

For once this not Mozilla trying to imitate Chrome. They are trying to be an innovator here, but seem to be think this should apply for the entire web. “Since the goal of this effort is to send a message to the web developer community that they need to be secure.” As I mentioned earlier this makes sense for eCommerce and other sites where people are providing sensitive information, but not for the entire web. If anything they are going to send a message to the web developer community “spend a bunch of time and money to make your sites secure or else visitor won’t be able to access your sites with Firefox.”

Again, this is in the early stages and may be Mozilla will post some clarifications. I tried to look through the “robust discussion” on their community mailings, list but found most of it to be more technical about how this could (could not) be accomplished and not so much about the possible repercussions this could create.