Deprecating Non-Secure HTTP

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”.  For example, one definition of “new” could be “features that cannot be polyfilled”.  That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>).  But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility.  Removing features from the non-secure web will likely cause some sites to break.  So we will have to monitor the degree of breakage and balance it with the security benefit.  We’re also already considering softer limitations that can be placed on features when used by non-secure sites.  For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.  There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community.  We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal.  Let’s get the web secured!

Richard Barnes, Firefox Security Lead

Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.

288 responses

  1. Graham wrote on :

    Good thing I stopped using Firefox a year and a half ago. To those of you who still deal with Mozilla’s crap… Well, have fun!

  2. Norman wrote on :

    riding a bicycle is dangerous and exhausting, so lets deprecate it!!

  3. Jon wrote on :

    Does that mean HTTP will stand for: Hyper Text Transfer Phoenix?

  4. evan wrote on :

    The Internet is not worth the trouble. I disconnected my home service and only go to coffee shops occasionally for service now. Mozilla Firefox seems to have introduced the same scheme that Microsoft uses to monitor and track it’s servants, that of creating an intentional error , reporting to you that there is an error and then forcing you to fix the error. Do-Loop …

    I am going to switch from Linux Mint 17 to Blag , Blag features a version of Firefox where “automatic updates” = (Taking control of your system) is disabled.

    http://www.blagblagblag.org

    GNU-Linux is the only way to go.

  5. Mark wrote on :

    This is over-the-top, whacked out techno-evangelism. This is weird and paternalistic and unnecessary. Raising the bar for casual web content on the best medium the planet has for free expression is just not a thing that needs to be done. I wonder what agenda there is here but I think it’s just myopic nerdy stupidity.

    I will happily allow my casual web projects to break in Firefox requiring people to switch to some sane browser whose dev team doesn’t feel the need to inject weird paternalistic nonsense into their architecture. So long, Firefox.

  6. Wat wrote on :

    Wow. I had no idea Mozilla was a large enough organization so off-base. This will be an IT support nightmare when all these sites with self-signed certs pop up a dozen warnings that make users think they are being hacked. Are you actually trying to follow Opera off the cliff?

  7. Vasili wrote on :

    Requiring HTTPS is like wearing a thermal jacket at all times, even when it’s warm.

  8. Locke Cole wrote on :

    Mozilla’s gone off the rails, must be time to fork Firefox and work on a version that remains true to the goals and designs it was originally intended to meet. Making things “not work” is not the answer. Forcing site operators into additional fees (mandatory static IP address for using an SSL certificate, the cost of the certificate, etc) is ridiculous. Especially for folks that run casual/fun websites for personal or friends use.

    I get that the internet at-large needs more security for some things, but pulling the plug on something that isn’t broken to try and force people into something they aren’t asking for is almost the definition of bad business.

    1. Kyhwana wrote on :

      Additional IPv4’s aren’t required. This is what SNI is for.
      There are also free certificates available (including hopefully soon letscrypt.org)

    2. Anees Iqbal wrote on :

      Did you know that CloudFlare offers FREE SSL?! You don’t need a dedicated IP or something. All you need to do is add your website to cloudflare. and Et Viola!

      1. lozl wrote on :

        >> C*Flare offers FREE SSL

        Then there will be only encryption between user and cloudflare.
        And from cloudflare to your site there will be none.
        Nsa will get everything in plaintext.
        Cloudflare is MITM.
        You are from marketing division and dont know what you are talking about.

  9. Catman wrote on :

    So Mozilla has gotten into bed with NSA?

    Time to remove ‘Firefox’ and get a browser that works for me, instead of against me.

    1. Daniel Veditz wrote on :

      Odd comment, why would the NSA prefer encrypted traffic to plaintext? We rather think they _won’t_ like this move.

  10. Lalo Martins wrote on :

    I thought your excuse for implementing web DRM was that people would just abandon Firefox otherwise. Don’t you realize that’s exactly what will happen if you do this? I mean, what’s more likely, everyone starts encrypting stuff because otherwise the #2 browser doesn’t work properly, or everybody who’s using the #2 switches to something else that does work?

  11. Adrian Roselli wrote on :

    A PDF for the FAQ? C’mon guys.

  12. Suki wrote on :

    This might sound crazy but how a bout this:

    – You launch and make sure Let’s Encrypt is working properly and has been already established as an easy solution to migrate to https.
    – Talk to webhosting companies about migrating to https or offer affordable solutions to the millions and millions of websites that are currently using shared hosting accounts and have no ability to use https unless they paid an extra fee..

    Then AND ONLY THEN you start talking about deprecating http….

    How’s that sound? seems pretty logical no? that way you avoid the hordes of angry users shouting at you for segregating webpages all over the place.

    In all honestly it seems the Mozilla guys think the internet should ONLY be available for two kinds of people:

    – people with money
    – people with technical knowledge

    Which is simply insane! and makes me wonder if you guys haven’t spend way too many time in your silicon valley bubble…

    1. tfs wrote on :

      Amen! The amount of shared hosted websites out there is gigantic. It’s totally pointless to talk about deprecating HTTP until these shared hosting companies do not offer these free oh-so-easy-for-everybody certificates.

  13. Roman Naumenko wrote on :

    This is great news.
    Data in transit should have mandatory encryption, period.

    Are there any plans to phase out non-secure transmission over SMTP as well?

  14. negecy wrote on :

    Typical american pointless actions. Think (I know, americans do anything and may think later or not) about people with less good bandwidth just want to check irrelevant information like weather, airport-city transit or similar. It’s quite unimportant if there is any surveillance on this, it’s also much better, if this information may be cached for speed-improvements. However, everything need to be https has additional negative effects, as it requires everyone to be able to have https. So it’s somehow a requirement to have sth. like Let’s Encrypt then, resulting again in damaging https as the only possibility to handle a huge amount of free certificates is somehow (full) automation, which result in any Phisher, Cyber-crime, Cyber-terrorism to have https, damaging the trust in https at all, as authentication only can be automated, which somehow has a value of zero.

  15. John Doe wrote on :

    Ok so the US gov says so (no more http). Well then who runs the NSA, CIA, Homeland’Security’ and all the other law breaking agencies?

    If the US Gov says so, probably the opposite it the better way. Why you guys want to help the US gov (&co) to be the one who can intercept the web traffic? You guys really believe they don’t have their hands on the certificates? Who runs VeriSign? Who is on the top of the certificate authority structure?

    It seems you guys have too much time or get paid too well from obscure sources for esoteric purposes. In most cases, people doing so abolish themselves. You better look what Firefox already does, dozens of requests in the background, unnecessarily services with lot of bugs and so on. Maybe it is time for another Browser, one which does not impose a ton of fancy services and try to restrict which page can live or gets CENSORED (oh sure, just for our security – for our best of course! Like always).

  16. Alexander wrote on :

    You should never force HTTPS.

    The win’s are rather subjective and hard to confirm.

    But using HTTPS give problems for regular webmaster.

    Website will be slower on average. Webmaster need better hardware or pay more to his hosting provider.
    HTTPS support is not always possible. For example some CDN’s can’t support HTTPS in some specific modes.
    Third-party resources linked in HTML can miss HTTPS support and it will cause website work incorrectly in HTTPS. And you need to monitor this forever… for all links on website! This point is valid for a huge % of websites.
    By enabling HTTPS-only you can easily lose 20% of visitors. Not all browsers support your certificate.
    HTTPS libraries vulnerability can lead to website’s origin server hack. The problem here, is that libraries are just like code executed directly on server. If there are vulnerability, you can not only decrypt the traffic, but also execute code on the server.
    Certificates are just bunches with problems.. revocation, revalidation, libraries deprecation. And it worth mentioning, that certificate system makes web centralized. When someone visit your HTTPS website it basically query some other central server. If someone will have this server, he can get information about all your visitors. And that’s shocky, i think.

    I am not against of encryption, but do not FORCE. HTTP is not LEGACY, it’s HTTP, the protocol which should be here forever. It’s good, fast, and well enough. That’s really tricky question does HTTPS securer than HTTP. Encryption helps sometimes to prevent injections, but it’s rather easy to bypass that. Can NSA decrypt your HTTPS? Most probably yes. Can webmater of website spy on you in HTTPS? Yes and it’s even easier with HTTPS and HSTS because of HSTS super cookie. Does HTTPS protect your password? Well, there are a chance, but if you think that HTTPS is a magic cure, you are complete idiot.

    My vote would be never use your browser if you will deprecate HTTP. That’s very easy to find an alternative or to fork you code, so think yourself how much such decision can cost you. This phrase i want also to said to Chrome dev team. Internet is live on developers. If you will start to do shit things, you will be replaced.

  17. Leniy wrote on :

    Sercure https also not safe when using local cc

  18. Hubot wrote on :

    This is the endpoint in a long row of false decisions.

    My free site with all my free ressources has to earn money, I cant pay all the servers out of my pocket. And its a matter of fact that your revenue drops drastically if you switch to https because many advertisers are not ready for it.

    I will stop recommending Firefox. Mozilla has become a @$%6&”

  19. Martin wrote on :

    The recommendation for WoSign in the FAQ is questionable, they still use SHA1 for their own website’s certificate:

    http://i.imgur.com/YSpq5Nh.png

  20. KM wrote on :

    HALT! Your certificate please! … No certificate? Off to the Data Gulag!

    Where was this crazy idea born? At a meeting of net-hippsters and off the reality technocrat-feminist?

    What would happen, if they succeed with this – another shortsighted feelgood solution-abduction?

    Many companies would not allow web usage anymore, encrypted traffic cannot be controlled (data leakage). Except the known friendly sites, in short google and facebook! Yes, it’s sad but for many people this would be enough.

    Power usage would multiply, new hardware, in short terms a lot of new costs and complexity.

    And more.

    Some guys and girls at Mozilla seem to be good helicopter parents with a vision, what people need and even more don’t need.

More comments: 1 3 4 5 6 7