Today we are announcing our intent to phase out non-secure HTTP.
There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.
After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. There are two broad elements of this plan:
- Setting a date after which all new features will be available only to secure websites
- Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”. For example, one definition of “new” could be “features that cannot be polyfilled”. That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.
The second element of the plan will need to be driven by trade-offs between security and web compatibility. Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.
It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.
Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon.
Thanks to the many people who participated in the mailing list discussion of this proposal. Let’s get the web secured!
Richard Barnes, Firefox Security Lead
Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.
david
wrote on
Hamish
wrote on
rbarnes
wrote on
Peter
wrote on
rbarnes
wrote on
Matthew
wrote on
J.R.
wrote on
Dave
wrote on
Zed
wrote on
Aranjedeath
wrote on
foljs
wrote on
Gabriel
wrote on
HybridAU
wrote on
Anon
wrote on
Anon
wrote on
Ben Hutchings
wrote on
Ninveh
wrote on
Dave
wrote on
Adrian
wrote on
alex
wrote on
Frank
wrote on
Graham
wrote on
Gerry Mander
wrote on
James
wrote on
Owen
wrote on
S. Albano
wrote on
kirb
wrote on
Peter
wrote on
Nicholas Steel
wrote on
Nando
wrote on
J.R.
wrote on
Oedipus
wrote on
Alex
wrote on
Simplebeian
wrote on
Dan
wrote on
Neal
wrote on
Simplebeian
wrote on
mathew
wrote on
Grad
wrote on
Grad
wrote on
Anon
wrote on
Peterr
wrote on
cxqn
wrote on
NoneWhatsoever
wrote on
Kise
wrote on
rbarnes
wrote on
wowaname
wrote on
Peter
wrote on
Simplebeian
wrote on
Whitney
wrote on
Sebastian Jensen
wrote on
Richard B
wrote on
James
wrote on
Jipp
wrote on
Bill A.
wrote on
Andy Green
wrote on
gggeek
wrote on
Andy
wrote on
Kise
wrote on
Andy
wrote on
gggeek
wrote on
alex
wrote on
Iain R. Learmonth
wrote on
Zach
wrote on
Kise
wrote on
RandomHacker
wrote on
Phil Rosentahl
wrote on
Jipp
wrote on
J.R.
wrote on
J.R.
wrote on
alex
wrote on
Phil Rosenthal
wrote on
passcod
wrote on
J.R.
wrote on
Mildred
wrote on
Nick Lewycky
wrote on
James T James
wrote on
Gary L. L.
wrote on
Adam Jacob Muller
wrote on
alex
wrote on
David Cantrell
wrote on
Phil Rosenthal
wrote on
Ben Cooke
wrote on
J.R.
wrote on
Ben Cooke
wrote on
brian
wrote on
78
wrote on
hugo
wrote on
TimC
wrote on
Nate
wrote on