Mozilla pushes for full HTTPS use
Mozilla has announced they are planning to deprecate non-secure HTTP.
“After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web,” Firefox Security Lead Richard Barnes explained in a blog post.
“There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.”
But they are aware that they need to tread carefully, and find a good balance between security and usability, as removing features from the non-secure web could result in many sites “breaking.”
“We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website,” he noted. “There have also been some proposals to limit the scope of non-secure cookies.”
HTTP won’t be banned completely, but will have to allow for a switch to HTTPS when required, with the help of HSTS and the upgrade-insecure-requests CSP attribute.
In order to pacify developers who might be worried about this transition, Mozilla has published a FAQ section that offers more information about what this switch will mean for them, especially when it comes to security certificates.
Mozilla is not the only organization pushing for SSL adoption and making the web secure. Last August Google has announced that websites using HTTPS will be ranked higher in Google Search results, effectively providing site owners another incentive to switch to HTTPS.