Deprecating Non-Secure HTTP

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”.  For example, one definition of “new” could be “features that cannot be polyfilled”.  That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>).  But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility.  Removing features from the non-secure web will likely cause some sites to break.  So we will have to monitor the degree of breakage and balance it with the security benefit.  We’re also already considering softer limitations that can be placed on features when used by non-secure sites.  For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.  There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community.  We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal.  Let’s get the web secured!

Richard Barnes, Firefox Security Lead

Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.

288 responses

  1. Mildred Ki’Lya wrote on :

    A design issue raised by Tim Berners-Lee with https:

    Don’t break the web

    There is a currently (2014, 15) a massive move to get the web secure in the sense of encrypted and authenticated. Of encryption and authentication, the encryption part is the part which has garnered the most attention, both among its promoters and those in governments who protest against it has giving too much power to users, criminals included, compared with law enforcement. Projects such as LetsEncrypt and the EFF’s HTTPS everywhere for example promote a wholesale move to the HTTPS protocol.

    The concerns behind the need for security are valid. There is a lot of abuse which it would prevent. The problem with HTTPS Everywhere drive is when the “S” is put into the URI. The problem is of course that moving things from http: space into https space, whether or not you keep the rest of the URI the same, breaks any links to. Put simply, the HTTPS Everywhere campaign taken at face value completely breaks the web. In a way it is arguably a greater threat to the integrity for the web than anything else in its history. The underlying speeds of connection of increased from 300bps to 300Gbps, IPv4 has being moved to IpV6, but none of this breaks the web of links in so doing.

    TLS Everywhere

    A proposal then is to do HTTPS everywhere in the sense of the protocol but not the URI prefix. A browser gives the secure-looking user interface message, such as displaying the server certificate holder name above the document, only when the document has been fetched in an authenticated over an encrypted channel. This can be done by upgrading the HTTP to include TLS in real time, or in future cases by just trying encrypted version first. There has been some discussion of this from including a RFC2817 (2000) “HTTP Upgrade to TLS” (Though that was motivated apparently by the need to save low-numbered ports, an issue I omitted from the table above.).

    The HTTP protocol can and by default is upgraded to use TLS without having to use a different URI prefix. The https: prefix could even in fact be phased out, and instead user education focussed on understanding the level of assurance being given about the level of security, including authentication of the other party, encryption of the communication, and the anonymity, traceability, or strong authentication of the user to the other party.

  2. Andrea Ronchetti wrote on :

    But if i want to see an html page which is saved in my hard disk, can i do it? And with software as EasyPhp there will be some problems?

  3. Victor wrote on :

    This is really Mozilla blog? The blog of my favourite browser? I do not believe. To be honest, I think this decision contradicts your principles.

    And yet, how do you think, why the non-profit sites and personal blogs should have an HTTPS certificate?

  4. Dag wrote on :

    Add built-in support for RFC 6698 (Dane) first. Today, or at least this year. In all major browsers. Then hosting providers can add HTTPS on an industrial scale, using DNSSEC, TLSA-records in DNS and self-signed certificates, bypassing all the hassle and security issues of CAs. This is the ONLY way to get a huge proportion of websites to support HTTPS. Oh, BTW, that might interfere somewhat with the revenue stream from CAs to Mozilla, maybe.

  5. Dan B wrote on :

    Is this a late april fools joke?

  6. Sérgio Carvalho wrote on :

    Firefox has a user share problem. Enlarging the user base and stopping user loss should be your first and foremost priority. Limiting browser features is so obviously wrong that it shouldn’t warrant explanation.

    This decision reeks of dictatorial power of a deluded, once powerful, but no longer influential, dictator.

    The result isn’t that webmasters will heed to Mozilla, it will be further descent into irrelevance as users flock to browsers that work.

  7. SjorsK wrote on :

    Even though I am a huge fan of encryption, I believe that the certification system as-is gives false trust. I would love it if things where made a little bit easier to mark self signed certificates as more secure than pure http. I do believe that identity validation is a good thing to do when setting up a business but this will sincerely hurt websites that are set up as a hobby.

  8. Erm wrote on :

    I do a lot of development at home. My test server is in my lan and if I understand what your suggesting correctly (at least according to your faq) “As noted above, everything that works today will continue to work for a while, so we have some time to solve this problem.” I’m not going to be able to get the full range of features firefox offers for my local dev server inside 192. because it doesn’t have a cert.

    What if I want to develop a site that uses and tags and you add new features?! I won’t be able to use them!

    I’ll have to set up nginx, generate a self singed cert and have it proxy to the http… what a waste of cpu & dev time. Just so I can keep using flask.

  9. clem wrote on :

    Certification is a centralized system, it’s a freedom issu

  10. Andrew Aitchison wrote on :

    I was taught that one factor that aided cracking the German Enigma ciphers was that the Luftwaffe used the same encryption for the weather forecast and for top secret messages.

    Encrypting everything may improve privacy, but are you sure that it wont reduce the security of the most
    secure infomation ?

  11. Owl wrote on :

    When I talk to my friend in the coffee shop there is a danger that we will be overheard and our privacy violated. Obviously the solution is for coffee shops to install loud white noise generators to make voice communication difficult… and then I will be much more secure as I pass written notes back and forwards to my friend.

  12. Cos wrote on :

    In your FAQ, would you please replace “IT guy” with a less-gendered term?

  13. Valtteri wrote on :

    I’m going to drop Firefox support from my site. I’m very disappointed.

  14. Kaos wrote on :

    Such a bad idea!

    I will start to inform our users to change web browser from Firefox to Google Chrome.

  15. SJD wrote on :

    No Firefox user agents on my page anymore!

    Was quite simple:

    RewriteCond %{HTTP_USER_AGENT} Firefox/29 [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} “Firefox/[3-9][0-9]” [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} “Firefox/[0-1][0-9][0-9]” [NC]
    RewriteCond %{REQUEST_URI} !^/redirectpage\.txt$
    RewriteRule ^(.*)$ /redirectpage.txt [L]

    Banning newer versions after the end of “Firefox classic” above

    or more absolute one here beyond:

    RewriteCond %{HTTP_USER_AGENT} ^.*Firefox/*.*$ [NC]
    RewriteCond %{REQUEST_URI} !^/redirectpage\.txt$
    RewriteRule ^(.*)$ /redirectpage.txt [L]

    Replace “redirectpage.txt and ” redirectpage\.txt$ with the name you want Firefox users to be redirected instead of your normal page

    Bye bye Firefox!

  16. Owl wrote on :

    It seems to me that some people here are over-reacting and making changes before this is implemented and we see how it pans out, or whether Mozilla folk even change their minds.

    I would like it if we could use https everywhere… but the reality is that there are quite a few countries which block non-whitelisted https sites.
    Major sites such as banks can get onto the whitelist… but many lesser sites never will.

    The danger of switching to https everywhere is that you then cut off a lot of users in these countries.

    We can hope that going to https will build pressure for these countries to relax their policies but I think that is naive – what it will do is build pressure for them to get the same control over CAs/root stores that the NSA must already have.

    (Sure users can run a VPN but that is a game ouf cat and mouse which I suspect is going to end badly for the VPN users)

  17. Aditya wrote on :

    Apparently the people at the top of Mozilla with pockets filled with money can’t understand how hard it is to implement HTTPS for small websites owners. Personally i prefer visiting sites in HTTPS especially for big sites or to be precise it’s almost a requirement for those big sites to use HTTPS. But when you’re running your own sites it’s different especially if those sites are just small sites that don’t generate income or the income generated were too small. Here’s why:

    – Most sites are hosted on shared hosting plan or cheap VPS with very restricted resources usage. Adding HTTPS will going to get you kicked due to resources usage being exceeded especially if your sites having many visitors but you’re not generating money/not enough reason to buy certs for those sites. (here’s an example from one of the big hosting provider at for example. They even tell you to avoid HTTPS as much as possible).

    Quoted from their page (also screenshot

    “Avoid using https protocol as much as possible; encrypting and decrypting communications is noticeably more CPU-intensive than unencrypted communications.”

    – I keep seeing someone saying letsencrypt being promoted here and there in this comment area. Will letsencrypt give you wildcard certs for free?. Some people prefer to use subdomain for static files, and also for other reasons. And wildcard certificate isn’t cheap.

    – HTTPS require 1 ip address per-certificate. Yes, i know about SNI but what if for some reason i/the admin/the webmaster don’t want to use it due to privacy reason?. Because if you only have 1 ip address, and you’re being forced to use HTTPS, all your sites need to be listed there in the certificate, and all your domain names then can be seen by everyone by simply looking at the certificate. And this violates my privacy.

    – If you say there’s Cloudflare. Can you even guarantee they will last forever? and besides if you’re talking about privacy and security, giving your sites statistics to Cloudflare which is a third party contradict what you’re trying to achieve. And you’re trying to force website creators/owners to give their statistics to a third party.

    – Mom and pop store that generate small revenue can’t use HTTPS or won’t bother to use it due to it’s adding more cost. Most of them are hosted on shared hosting plan that doesn’t allow you to change configurations so you can’t use those free ssl cert from StartSSL or any other free cert which unfortunately till now there is exist only 2, and soon to be 3 if letsencrypt accepted by major browsers.

    Also if you’re thinking those mom and pop store are running full blown ecommerce solution like with add to cart and checkout function then you’re dead wrong because mom and pop store mostly use static html or a simple wordpress website. And when someone ordered something from the site it is by phone or email.

    In short HTTPS is still too expensive for small website(s) owners/creators.

  18. Bob wrote on :

    Dear Moz,

    Would you be a dear and moderate these comments? There seems to be a certain someone with anger issues who keeps posting here.


    PS. BTW, thanks pushing the web towards encryption as default.

More comments: 1 5 6 7