Today we are announcing our intent to phase out non-secure HTTP.
There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.
After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. There are two broad elements of this plan:
- Setting a date after which all new features will be available only to secure websites
- Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”. For example, one definition of “new” could be “features that cannot be polyfilled”. That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.
The second element of the plan will need to be driven by trade-offs between security and web compatibility. Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.
It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.
Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon.
Thanks to the many people who participated in the mailing list discussion of this proposal. Let’s get the web secured!
Richard Barnes, Firefox Security Lead
Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.
david wrote on
Hamish wrote on
rbarnes wrote on
Peter wrote on
rbarnes wrote on
Matthew wrote on
J.R. wrote on
Dave wrote on
Zed wrote on
Aranjedeath wrote on
foljs wrote on
Gabriel wrote on
HybridAU wrote on
Anon wrote on
Anon wrote on
Ben Hutchings wrote on
Ninveh wrote on
Dave wrote on
Adrian wrote on
alex wrote on
Frank wrote on
Graham wrote on
Gerry Mander wrote on
James wrote on
Owen wrote on
S. Albano wrote on
kirb wrote on
Peter wrote on
Nicholas Steel wrote on
Nando wrote on
J.R. wrote on
Oedipus wrote on
Alex wrote on
Simplebeian wrote on
Dan wrote on
Neal wrote on
Simplebeian wrote on
mathew wrote on
Grad wrote on
Grad wrote on
Anon wrote on
Peterr wrote on
cxqn wrote on
NoneWhatsoever wrote on
Kise wrote on
rbarnes wrote on
wowaname wrote on
Peter wrote on
Simplebeian wrote on
Whitney wrote on
Sebastian Jensen wrote on
Richard B wrote on
James wrote on
Jipp wrote on
Bill A. wrote on
Andy Green wrote on
gggeek wrote on
Andy wrote on
Kise wrote on
Andy wrote on
gggeek wrote on
alex wrote on
Iain R. Learmonth wrote on
Zach wrote on
Kise wrote on
RandomHacker wrote on
Phil Rosentahl wrote on
Jipp wrote on
J.R. wrote on
J.R. wrote on
alex wrote on
Phil Rosenthal wrote on
passcod wrote on
J.R. wrote on
Mildred wrote on
Nick Lewycky wrote on
James T James wrote on
Gary L. L. wrote on
Adam Jacob Muller wrote on
alex wrote on
David Cantrell wrote on
Phil Rosenthal wrote on
Ben Cooke wrote on
J.R. wrote on
Ben Cooke wrote on
brian wrote on
78 wrote on
hugo wrote on
TimC wrote on
Nate wrote on
FF Extension Guru wrote on
SteveP wrote on
Oscar wrote on
Keith Curtis ( wrote on
none wrote on
Roy wrote on
Evan wrote on
tjeb wrote on
Matthew Kercher wrote on
Andrés Rodríguez wrote on
Mike Simon wrote on
bosse wrote on
Gustaaf wrote on
mk wrote on
Guest wrote on
Guest wrote on
Guest wrote on
G wrote on
Guests wrote on
Lars Viklund wrote on
Nick wrote on
Zed wrote on
Shelikhoo wrote on
Mike Sirell wrote on
rott wrote on
roman wrote on
Adrian wrote on
John Teague wrote on
Valerio Bozzolan wrote on
Unary Negation Operator wrote on
Unary Negation Operator wrote on
QJ wrote on
Zed wrote on
brian wrote on
Toady wrote on
Zed wrote on
Daniel Veditz wrote on
Justin C. wrote on
Nick wrote on
Fabio Muzzi wrote on
ziogianni wrote on
Gilberto Persico wrote on
Giuseppe wrote on
Anonymous wrote on
Erkki Seppälä wrote on
Christian Parpart wrote on
Matthew wrote on
Josh wrote on
Robert P wrote on
Benjamin Smith wrote on
Daniel Veditz wrote on
Cody wrote on
Ted Kraan wrote on
Lestat wrote on
Brian wrote on
Kirrus wrote on
Cody wrote on
Cobab wrote on
Ron E. wrote on
Zor wrote on
Daniel Veditz wrote on
kobaltz wrote on
LvH wrote on
Daniel Veditz wrote on
Pavel wrote on
James Patrick wrote on
Patrick Lambert wrote on
Ed Burnett wrote on
hron84 wrote on
Ed Burnett wrote on
LvH wrote on
User wrote on
Ed Burnett wrote on
Gabriel Corona wrote on
lozl wrote on
Sven Slootweg wrote on
Dianne Skoll wrote on
Daniel Veditz wrote on
pyalot wrote on
Chris Star wrote on
rtechie wrote on
Lestat wrote on
Jamie E wrote on
Lestat wrote on
Ben Cooke wrote on
Lonnie.Severus wrote on
MJ wrote on
Nate wrote on
Luaks wrote on
Denys Duvanov wrote on
Daniel Veditz wrote on
Roland Zink wrote on
Walter wrote on
FF Extension Guru wrote on
Kirrus wrote on
Travis wrote on
John Vahn wrote on
A. Zander wrote on
Nate wrote on
Kobor wrote on
John Snow wrote on
Truth Teller wrote on
James wrote on
Ed Hands wrote on
Ed Burnett wrote on
Suki wrote on
Jona wrote on
Jonathan wrote on
Johan Boule wrote on
Janet Merner wrote on
Brian LePore wrote on
Daniel Veditz wrote on
aaa wrote on
Lestat wrote on
Ed Hands wrote on
Ed Hands wrote on
Omega wrote on
Yuval Levy wrote on
Yuval Levy wrote on
Graham wrote on
Norman wrote on
Jon wrote on
evan wrote on
Mark wrote on
Wat wrote on
Vasili wrote on
Locke Cole wrote on
Kyhwana wrote on
Anees Iqbal wrote on
lozl wrote on
Catman wrote on
Daniel Veditz wrote on
Lalo Martins wrote on
Adrian Roselli wrote on
Suki wrote on
tfs wrote on
Roman Naumenko wrote on
negecy wrote on
John Doe wrote on
Alexander wrote on
Leniy wrote on
Hubot wrote on
Martin wrote on
KM wrote on
Roger wrote on
edison wrote on
Dan wrote on
Oliver wrote on
Paul M wrote on
Joao Santos wrote on
Samehere wrote on
Jens wrote on
Roger wrote on
Pffff wrote on
Jason wrote on
Chris wrote on
liderbit wrote on
CoolFire wrote on
M. Edward (Ed) Borasky wrote on
Chris wrote on
Jeff wrote on
Samehere wrote on
Grover wrote on
foreigner wrote on
open-source wrote on
NameRequired wrote on
Luc wrote on
22decembre wrote on
Daniel Veditz wrote on
NameRequired wrote on
Jeff wrote on
Samehere wrote on
grin wrote on
Mozinet wrote on
F. Ree wrote on
Sigh wrote on
Sighing louder wrote on
Fx-User wrote on
Enrique wrote on
Dave Ross wrote on
Mildred Ki’Lya wrote on
Andrea Ronchetti wrote on
Victor wrote on
Dag wrote on
Dan B wrote on
Sérgio Carvalho wrote on
SjorsK wrote on
Erm wrote on
clem wrote on
Andrew Aitchison wrote on
Owl wrote on
Cos wrote on
Valtteri wrote on
Kaos wrote on
SJD wrote on
Owl wrote on
Aditya wrote on
Bob wrote on