Deprecating Non-Secure HTTP

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”.  For example, one definition of “new” could be “features that cannot be polyfilled”.  That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>).  But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility.  Removing features from the non-secure web will likely cause some sites to break.  So we will have to monitor the degree of breakage and balance it with the security benefit.  We’re also already considering softer limitations that can be placed on features when used by non-secure sites.  For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.  There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community.  We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal.  Let’s get the web secured!

Richard Barnes, Firefox Security Lead

Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.

288 responses

  1. Jamie E wrote on :

    This is a welcome development. In the modern era, we need HTTPS more than ever to provide data integrity assurance. With nation-states now willing and able to do packet injection and MITM data manipulation on a truly staggering scale, HTTPS is our only defense. And yes, this goes for sites of any size or purpose. Consider the myriad of bad actors with Internet backbone access, who can make it appear to visitors that your site content says something completely different than it actually does. Web users are becoming unwitting victims of injected rogue JavaScript programs that weaponize their browser to attack other sites. The Great Cannon of China is only the first salvo in a new expansion of MITM attacks by the powerful against the weak.

    If you’re a webmaster, and concerned about costs and implementation details of HTTPS, please look at http://www.letsencrypt.org, and consider hosting with a CDN that offers your site HTTPS. I don’t want to mention anyone in particular, but these things are very easy to find. It’s worth it.

    1. Lestat wrote on :

      Give me one reason why a guy with a plain and simple static Webpage should do all that extra work? Http is no crime.

      There is a difference between reason and discrimination. Mozilla and Google following the later path.

    2. Ben Cooke wrote on :

      SSL (as currently deployed) does not defend against any nation state that contains a trusted CA.

      Governments compelling CAs to make fraudulent certs for MITM used to be theoretical, but it’s quickly becoming quite likely: https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

      SSL is already widely enough deployed to protect my credit card number, social security number and other such sensitive information. The push for universal SSL is motivated by increased *privacy*, and yet governments are not impeded by SSL in spite of them being the primary collector and abuser of network usage metadata.

      The right cause would be for a replacement for SSL and the CA infrastructure that defends against government interference. That must precede universal adoption of SSL, lest we mislead people into believing their privacy is protected when that is far from being the case.

  2. Lonnie.Severus wrote on :

    Well, that all means i will probably switch to another browser.

    Will taking a closer look to Slimjet, Vivaldi or Opera. I will for sure stay no longer with Mozilla.

    Total insanity in control…..

  3. MJ wrote on :

    The EFF posted an article last year announcing plans to make SSL open and free to everyone. It appears they are focusing on making it easy to work with certs. Not only are they providing a CA – but also easy to use management software to download/install certs for web sites.

    Read the EFF release here…

    “Launching in 2015: A Certificate Authority to Encrypt the Entire Web”
    https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web

    Which links to the Let’s Encrypt website. https://letsencrypt.org/
    Read the How it Works section.

    1. Nate wrote on :

      Yes, we all know about letsencrypt.
      We know that it isn’t out yet.
      We don’t know if it will work on anything but the newest webservers.
      We don’t know what sort of requirements it will have in order to do its magic.

      If Firefox wants to be about forcing people to do things they don’t want to, then they will fail, as they have been so good at doing lately.

  4. Luaks wrote on :

    Oh yes, i agree! Let’s send Mozilla guys into retirement! There is really only a small border between stupidity and brilliance.

    I hated Australis which was a clear shift away from classic Pro users towards simplicity loving ones

    I hated the new Chat feature because it was bloat.

    Let’s not start about the ads in the new tab page!

    Brendan Eich… Never forget!

    And now this!

    I agree so very much with this.

    http://vivaldi.com

    Mozilla f*ck off!

  5. Denys Duvanov wrote on :

    Hey, what about google analytics?
    Analytics doesn’t work without cookie.

    1. Daniel Veditz wrote on :

      Google analytics works just fine over https.

      1. Roland Zink wrote on :

        Which exactly the problem. The browser multicasts the visited URL to the big Internet companies. The NSA can get the URL this way too and they not even need to break TLS security to do so.

  6. Walter wrote on :

    Shared hosting is what makes having a web site affordable to most people. AFAIK Apache is not able to lead with certificates for several virtual domains. You need a static IP for each one. So deprecating http you’re just encouraging users to use i.e. facebook instead of investing in having their own web site. Like by analogy is doing Red Hat with Pottering’s systemd you’re going in the opposite direction to “free” and “open”, you’re literally fucking users, freelance developers an SMEs in favor to multinationals.

    Dream is over.

    1. FF Extension Guru wrote on :

      With shared hosting you need a multi-site cert (or UCC). My terminology maybe off here but the way it works is you have your primary site and under that you have secondary sites. I have never done this so I don’t exactly know how it looks, but been told that every site is listed on each site’s cert. My issue is my shared hosting provider sells these UCC’s in packs of 5. I have 6 sites (plus I sublet some space for 2 others sites to a friend of mine which are purely informational). This is going to be a major headache for me as would have to switch the primary domain from my personal site to my business site (no transactions take place, though I would like SSL for then the login into their account page). All the sub sites (including my personal and 2 of my friends) would then be listed under my business site when the cert is viewed. Then there is the process of applying and validating for an SSL on at least 6 sites. I would be looking at $250 a year for the certs on top of the $84 for the hosting and $100 for the domains (some of these sites resolve from several domains which I just realized I would either have to add those to the UCC or do 301 redirect). Again, the majority of what I do is hobby and my business site generates just enough revenue to cover the cost of the domains associated with it.

      1. Kirrus wrote on :

        Multisite certs are not suitable for shared hosting. UCC certs are just for exchange servers.

        This is seriously shitting on small shared hosts.

    2. Travis wrote on :

      Apache has supported SNI for several years now. If your shared host is still using an out-dated Apache version, it’s time to change hosts.

  7. John Vahn wrote on :

    If you want to promote security making people actually safer rather than simply feeling that way start by redoubling your own efforts to fix defects in your own software which continues to endanger your users.

    Secondly provide users more options than just certificates based on global trust regimes. Support PAKE as an alternate means of establishing secure sessions where users already have more localized means of trust (e.g. A password)

    Finally stop confusing secure transport with trust bestowed by users. There is nothing you can safely do with a secure transport that you can’t already do with an insecure one. If anyone can obtain a certificate then anyone is able to take advantage of all browser features. Never confuse political goals with technical ones.

  8. A. Zander wrote on :

    Since I work for a small hosting company I would like to know who will pay for the extra IP addresses we will be required to purchase because of this new policy? If Mozilla continues to push for this, I will either be laid off as the company works its way into shutting down, or they will start sending the Mozilla Foundation the bull for the additional IP Blocks we will be required to purchase to be able to continue offering web hosting.

    Which will it be? Mozilla, et al paying for our additional IPv4 usage, or Mozilla et al paying for my unemployment? Those are the 2 options I currently see in my future with this new push.

    Think on this as well… this “encryption” is not what most people think it is. Those here will know, but the general public assume that because it’s SSL that they data is encrypted all the time. THIS IS A LIE. I’ve tried to explain it to many people who are not tech savvy. Once they understand that it only encrypts the data from the server to their browser, and often nowhere else they start to wonder why we use SSL at all.

    Want to really make a difference? create a system that works in ALL email clients that will automatically encrypt and decrypt email between people without them having to do much more than putting in an authorization code from the sender. Add it to their address book system so they only have to put it in once for each email address.

    A.Z.

    1. Nate wrote on :

      With SNI (available on anything not ancient) you don’t need additional IP addresses, unless your software is also ancient.
      I suggest, rather than going out of business or losing your job, you update your servers.

      1. Kobor wrote on :

        You do,since still a lot of users are coming from old browser, which don’t support SNI.

  9. John Snow wrote on :

    Great, big changes. I am curious about impact on Google Page Rank for sites with HTTPS. There is also a problem with simple static sites which do not need SSL at all. Is there really a need to buy certificate only for maintain position in Google Search?

  10. Truth Teller wrote on :

    Someone follow the money. Decisions like this are always because someone is getting paid indirectly to make it. Look forward to reading in the future who got rich.

  11. James wrote on :

    Good luck….http is still going to be in use for a LONG time, and locking out your users is just going to push them to a different browser.

    1. Ed Hands wrote on :

      Amen.

    2. Ed Burnett wrote on :

      Nah, websites that refuse to utilize HTTPS will be the ones losing users. It’s trivial to implement and the benefits for all involved are many. Encrypting all web traffic has been in the discussion pipeline for a long time now, and I suspect Chrome and the other browser projects will soon follow suit.

      1. Suki wrote on :

        Sorry but no, it may be trivial to you but it certainly isn’t trivial for the regular small company or the IT illiterate person who wants to start his/her own webpage.

  12. Jona wrote on :

    The list of CAs coming with firefox includes numerous shady ones that have quite a history of failures. On the other hand: CACert’s inclusion has been denied for questionable reasons.

    I find it kind of funny that this is published by mozilla, proclaiming an “open and better web” while excluding the only CA that is truly open and non-profit.

    Presently, getting an SSL Certificate is a hassle that costs a lot of money if you actually want more than one subdomain to have a proper certifiate. I suggest you address that problem first, i.e. enable non-restricted and freely accessible SSL. Otherwise your “open web” will only be open to the ones that can afford it.

  13. Jonathan wrote on :

    Bad decision all the way around, security sounds great on paper but for 99% of people does not matter at all.

    Main Issues:
    There is no easy way to install SSL for a common person. Involves multiple steps and then maintaining when there are issues with openssl, renewing the certificate etc, keeping up with the latest ssl exploits. This adds another barrier of entry for people getting into web development for a newbie.

    Going to destroy shared hosting environments that can’t support multiple ip’s and just for them to maintain all their end users.

    Not everything needs to be encrypted just making the internet inefficient and slower.

  14. Johan Boule wrote on :

    K.I.S.S.

  15. Janet Merner wrote on :

    Do not get rid of http but just make https the default and http the fallback. As someone else wrote mom and pop organizations that do not want to pay for the ssl certificates should not be forced to. Considering that most sites without https serve either static webpages or run everything on their own servers using Perl or php why should they be forced to adopt https.

    The Developers are also forgetting that in developing countries with low speed and sporadic quality internet services that the bandwidth and quality of service that is needed for a https connection will shut a lot of people out. The problem with the Mozilla foundation is you are based in the United States and are completely oblivious that not everyone in the world has available the resources that you do.

    There are children in some developing countries that are still using Pentium II computers over a 14.4 speed modem. Do yo want to deny them the possibility of using the Internet and developing skills that may be the difference between a life of poverty and one of fulfillment.

  16. Brian LePore wrote on :

    “For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.”

    Maybe it’s just because my dev environment has a self-signed SSL, but I’ve been working on this for a new feature for a bit for us at work and Firefox ALWAYS prompts every time.

    And really, this is a crappy idea. I’m sorry, but not EVERYTHING on the web needs to be secure.

    1. Daniel Veditz wrote on :

      “Maybe it’s just because my dev environment has a self-signed SSL, but I’ve been working on this for a new feature for a bit for us at work and Firefox ALWAYS prompts every time.”

      Have you clicked the tiny button with the tiny triangle on it? There should be an “Always Share” option there on secure sites. If you don’t dig in and find that then the main button is just “share one time only”. Our UX folks seem to hate multiple buttons, but personally I think it would make that (and several other) prompts clearer. Hiding non-default choices in a drop-down has nothing to do with the SSL/TLS topic here, it’s just design style.

  17. aaa wrote on :

    I’m all for increasing security but the CA system is broken and we all know it

    I would rather see some real security improvements such as addressing fingerprinting using fonts . Per tab sandboxes and hardened browser builds. Remove rc4

    We as users do not want austalis , firefox hello, or anything else like that. We want a simple lean extensible browser which is secure.

    Each time I read the release notes for a new firefox version I am always disappointed by the lack of real security improvements. That is my only concern security . I’m not a chrome user as I feel google has enough control as it is but I am envious of the security of chromium.

    If you need revenue, partner with duckduckgo, startpage or disconnect search. I have been a loyal user for year but I am seriously becoming jaded with the efforts. It feels like we all know what needs to be done and yet nobody is willing to put in the effort to get us there.

    If you claim to be as open and for security as you suggest I would suggest allowing Mike Perry and the tor browser team to have much more of a say in how to further secure firefox.

    The modern browser is everywhere , in every device and business we need more security at the application level. The only hope for the network level is networks like Tor.

  18. Lestat wrote on :

    – Anyway i look forward for seeing you Mozilla guys reducing your market share even further with this and all that actions.

    Your problem is you guys do NOT think about things.

    Let me list you most grave mistakes!

    1) You implemented Australis and removed functions because you are unwilling to maintain a separate codebase for Desktop usage, because you got jealous of Chrome’s user numbers and you hoped that enough Chrome users jump ship so you would win in the end! And even worse.. You did INTENTIONALLY turn your back towards Power Users, the ones which made you in the first place!

    2) You created Firefox OS because you got again jealous on Google’s success with Chrome OS

    3) You did let it happen that Brendan Eich got more humiliation as it was necessary at all, so he left on his own and your own hands have been clean.. more or less

    4) Signed add-ons… You saw again that move from Google and followed to have “Chrome parity”

    5) Instead of offering the user DRM free versions of Firefox you forced DRM on anyone

    6) The move against HTTP – Google made it first so you must again try to beat them in terms of being even more harsher in pushing trough with that rule!

    See what i mean? much mistakes you did and make or made is because you see Google as role model!

    What is so wrong in doing your own business again? Why you try to emulate the Chrome feeling as much as possible?

    Can you REALLY NOT UNDERSTAND this?

  19. Ed Hands wrote on :

    Wow….this is about as poorly conceived an idea as they come. Honestly, I understand the concern and the idea and motivation behind it, but to the normal everyday user they do not see “Wow…Mozilla is looking out for me and my security! Way to go!” They see “gee…my cat videos don’t run when I use Firefox….let me switch to something that does.”

    The false assumptions that you are making is that a) people have a technical knowledge of internet security and are making rational decisions based on that knowledge and b) people have to browsers .

    In both cases, except for the crowd that has posted here, they don’t. People by and large don’t give a frog’s fat hiney about SSL certs and sha-1 vs sha-2 and such. They care that they can no longer visit their site. And they will switch browsers faster than you can say “Jack Robinson” to get to their site and make that their default.

    And ambitious, and goo intentioned, plan. But you know what they say about good intentions….

    Good luck with this.

    1. Ed Hands wrote on :

      Correction to the above:

      b) people have loyalty to browsers .

      1. Omega wrote on :

        The VAST majority of people are not loyal to browsers. They use the “blue E”. That’s all.

  20. Yuval Levy wrote on :

    Sir:
    Your intention is laudable and the direction is the right one. However, please consider the following:

    (1) Encryption comes at a cost. It is time to end the taxation regime of certificate authorities (CA). Please hold off with your plans until is publicly and easily available.

    (2) The current trust model is broken beyond repair. I honestly prefer to trust self-signed certificates from responsible site owners that I know personally than certificates signed by some shoddy CA. The number of default root certificates in the different browsers and devices is mind-staggering, and when investigating them I would like to revoke trust to the majority of them. I no longer trust curated collections of root certificates, whether they come from Microsoft, Mozilla, Google, Apple, or any other distributor. Please give me control over the root certificates that come with Firefox: disable them all by default and prompt me on a case by case basis, when I access a secured website, whether I want to trust certificates that are signed by that specific root CA.

    When the cost of encryption to website publishers will be merely computing cost; and when the problematic blind trust in root certificate and mistrust in self-signed certificate are solved; then you will have my full support to deprecate HTTP.

    Until then, restricting artificially the availability of new features to encrypted sites only is a counter-productive publicity stunt and will only drive users away from Firefox.

    1. Yuval Levy wrote on :

      The URL of let’s encrypt dot org has been filtered out in my point (1). It should read:

      (1) Encryption comes at a cost. It is time to end the taxation regime of certificate authorities (CA). Please hold off with your plans until LETSENCRYPT DOT ORG is publicly and easily available.

More comments: 1 2 3 4 5 6 7