Deprecating Non-Secure HTTP

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”.  For example, one definition of “new” could be “features that cannot be polyfilled”.  That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>).  But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility.  Removing features from the non-secure web will likely cause some sites to break.  So we will have to monitor the degree of breakage and balance it with the security benefit.  We’re also already considering softer limitations that can be placed on features when used by non-secure sites.  For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.  There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community.  We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal.  Let’s get the web secured!

Richard Barnes, Firefox Security Lead

Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.

288 responses

  1. Roger wrote on :

    The real reason for deprecating HTTP and enforcing even non-important websites to use HTTPS, so that restrictive governments can ensure they’re arresting the right party upon mere suspicion or curiosity.

    Encryption also encourages more waste of energy versus just using plain text, and usually requiring people to upgrade to the newer and faster hardware.

    If there were other more legitimate reasons aside from fear, we would have been told by now.

    This is more like the analogy; because I do not feel safe traveling streets having rowdy bars at night, I’m going to carry a gun (or be a vigilante) versus just choosing to avoid the troubled streets at night. People have choices, and I think I’ll choose not to use encryption when I obviously do not need it the majority of my time. Makes me sick to see people devote themselves to writing code and climbing the ladder of life, only to endorse such meaingless policies for promoting controversies. What a waste of time.

    1. edison wrote on :

      Can’t Agree more!

    2. Dan wrote on :

      Richard Barnes (Firefox Security Lead) sold his soul to the devil and this is why he is pushing this agenda. All CAs have been compromised, which makes any SSL certificate insecure. I personally consider the PKI as good as clear text. If Barnes is a bit intelligent, he should know this. By forcing websites owners to buy SSL certificates, he is opening the door on privacy and censor those who the government do not like the content (of course to protect the poor and vulnerable children from dangerous website like wikileaks).

      1. Oliver wrote on :

        Complete and utter rubbish.

        Even if a CA is compromised, you don’t give the CA your private key, they simply sign your public key and it’s up to web clients to determine if they consider your certificate valid.

        Your assertion that “All CAs have been compromised” is pure brilliance… care to produce some actual evidence to back that up?

        1. Paul M wrote on :

          It doesn’t matter whether you give the CA your private key or not if the CA has been compromised, because those with control over the CA can MITM any connections you make and you’ll be unable to tell.

          1. Joao Santos wrote on :

            Because non encrypted connections are way better against MITM /s

    3. Samehere wrote on :

      Check out https://letsencrypt.org/

    4. Jens wrote on :

      I’m afraid he’s right. Tell people they care about security and then to use an allready compromised tecnology. So sad most people don’t know this. Conspiracy?? – well – sometimes when they cry wolf – a wolf will come. Look at documentaries on youtube about the 2008 crises – about 9/11 – how the federal reserve robs every american. So many strange things going on. Bush saying PUBLICLY “Let’s us not listen to conspiracy theories. Let us focus our time on catching the terrorrists”. If you dont want comspiracy theories, then let the public see the evidence instead of hiding 90% of it. It’s sad, and most likely they will get away with it.

  2. Roger wrote on :

    Should also mention, things seem to have gone pretty well after the Bible was translated, or decrypted, into the Kings James version.

  3. Pffff wrote on :

    Way to go Mozilla, to demolish your userbase; giving them to m$ and g00gl for free…

  4. Jason wrote on :

    Since I’m not a techie, I don’t really understand what this means to my ability to access the sites I want. However, several of my relatives and friends have websites. If I can’t get to them (and others) using Firefox, I ‘ll use another browser.

    1. Chris wrote on :

      Nothing really. In the short term nothing changes, in the long term some browser features may not work.

  5. liderbit wrote on :

    Mozilla, you will lose your already decreasing number of clients in favor of chrome. Your strategy pretty much *****

  6. CoolFire wrote on :

    I’m sure this is good news for the hosting providers who are still charging people for an ssl cert. And on a shared hosting platform, you generally don’t have the access to the config you need to install your own cert.

  7. M. Edward (Ed) Borasky wrote on :

    While this seems wonderful on the surface, it is not cost-free to the website owner. It requires *purchase* and installation of a certificate, and a regular renewal.

    I think we need to think harder – make it free to the website owner or come up with a solution other than HTTPS.

    1. Chris wrote on :

      There are free cert providers out there.

      1. Jeff wrote on :

        They aren’t fully supported.

        1. Samehere wrote on :

          Check out https://letsencrypt.org/

          1. Grover wrote on :

            You keep posting this like it’s the solution to everyone’s concerns, but it’s not even a live site yet. This is not a real solution until they start issuing certs and every system sees them as valid/better than self-signed.

          2. foreigner wrote on :

            > https://letsencrypt.org/

            Just another vendor lock-in and single point of failure.

  8. open-source wrote on :

    Why are you punishing open-source projects?

    There are a lot of ISPs and other companies (e.g. Blogger) who also can’t provide SSL to users who you are punishing in very large numbers with this decision.

    Code hosting sites such as Sourceforge project web also do not support SSL so you are in effect punishing a very large amount of open source projects who can’t afford their own web hosting.

    You should be working with the industry on a coordinated effort to deal with these issues instead of making yourself irrelevant to both the developer community and individual users.

    The fact that this will severely punish thousands of Sourceforge projects (some of whom your source code belongs) is very short sighted and you really should work with the industry or you will be making yourself even more irreverent.

  9. NameRequired wrote on :

    No problem !, the deep web increases, those who can not afford certified disappear in the deep sea, governments will control more and better what’s on the web and I miss firefox.

    Excellent!

  10. Luc wrote on :

    Have they though about that growing number of (local) devices with a web-based UI?
    Routers and NASes are just the ones we’ve known for years already.

    I think someone at Mozilla has just bought stakes in a certificate authority, and is now pushing to make a certificate for each IoT device a requirement to get it up and running.

    1. 22decembre wrote on :

      Mozilla finance itself by auditing CA before including them in the browsers.

      So they have not bought shares there: they charge them ! And they are mounting their own free CA also !

      1. Daniel Veditz wrote on :

        The CAs pay no money to Mozilla for inclusion in the browser. We do require audits but we do not perform them, and we do not receive payments from the auditors. Maintaining the list of CAs in our browser is strictly a money-losing proposition for us (but necessary and good for the web).

  11. NameRequired wrote on :

    Instead of blocking self signed certificates and highlighting some special certs, Firefox should show a ranking how trustful the certificate is (manually added, selected CAs, official CAs, CAcert, selfsigned) in form of a traffic light.
    Additionally it should show how secure the connection is (PFS, cipher,hash etc.).

  12. Jeff wrote on :

    You know the only way this could work is if SSL certificates were secure and free.

  13. Samehere wrote on :

    Just a short wait. Check out https://letsencrypt.org/

  14. grin wrote on :

    Funny how everyone tech-savvy kind of ignore the entropy problem. A normal website host can handle millions of connections easily while simply choke and die on a moderate amount of secure connections which require lots of random numbers which require lots of entropy. Ever wondered why businesses selling entropy sources are in the business? Yeah, you may say “hey if you want high traffic spend the money”, forgetting that that’s what the fuss is about. Many people do not want to pull up a server farm to serve the pages or try to get entropy somewhere. Virtual servers? Oh yeah, even more fun about entropy.

    Okay, so you don’t want your shiny new https server to wait tens of seconds for blocking random numbers so you use urandom. Which means _pseudo_ random. More entropy you draw, more pseudo. Less random. Less security in encryption.

    And yes, setting it up is a great hassle, and doing IP virtual hosting is a hassle (yeah get more ipv4, oh, you mean we’ve run out 2 years ago? what ipv6? where, when?).

    But apart from all there are still units with 10+ years old code running on their management cards. They will support https approximately in 1st april, 2048.

  15. Mozinet wrote on :

    A Mozilla FAQ in PDF? Really? It’s not cool for readability on mobile, accessibility and SEO.

  16. F. Ree wrote on :

    Once upon a time “free software” with “free” as in “free speech” meant that the user was empowered and could do what he or she wanted.

    For quite some time now, Firefox, Thunderbird and Mozilla have developed into net-nannies, telling the user what they (Mozilla) feel is good or bad for them. Maybe that’s a good approach for digital stupids but it certainly is not a good idea for that user community which initially helped make Firefox was it is today.

    Maybe some smart person will come up with the idea of making all of this an option which easily can be turned on or off. If not…well…we will have to use a “more” “free” browser, when Mozilla ruins it again.

    Somehow it looks like every good browser has to crash in numbers once in a while to remind the second generation of developers what had been the reason to develop it for the first generation of developers.

    TL;DR: Cut that crap, Mozilla and keep Firefox FREE. And learn what FREE software means if you forgot that…

  17. Sigh wrote on :

    It’s almost like Mozilla is intentionally killing FireFox. I can hear the complaints now. “Why is this website showing a security error? I use it all the time and it works fine in Chrome.”

    Sigh.

    1. Sighing louder wrote on :

      That’s right. Even now Firefox (fav browser, for now) occasionally tries to ruin my web surfing by choosing for me what’s risky and what’s not – on absolutely clean web resources that I have to either add to “trusted websites” then or – simply – open in Chrome. Can’t imagine what could happen when these “removing capabilities” takes place…

  18. Fx-User wrote on :

    This encryption idea should be an option that the computer’s administrator decides on. Like the extension signing idea, there is no flexibility given to the user. The thing that got Firefox rolling was the ability to have web browsing as the user chooses, through extensions and so forth.

    This change into edicts is a big mistake.

  19. Enrique wrote on :

    For once I do not agree at all with this decisition. TLS requires a complex implementation that greatly augments the possibility of remote attacks. At least for local intranet and loopback connections it must exists support for non bloated HTTPS.

  20. Dave Ross wrote on :

    Forcing the use of HTTPS will not necessarily guarantee security… I’d call it with its name: YACBA (yet another captive business attempt).

    What’s wrong with letting the world be FREE (even to make mistakes)?

    I really cannot understand your way of doing things… firefox is less stable tha it should be, it will force people to choices the are not willing to make… do you realize that you are going to lose a part of the browser share that was built very hardly in the past years?

    My 2 cents.

More comments: 1 4 5 6 7