{"id":1971,"date":"2015-04-30T15:24:37","date_gmt":"2015-04-30T22:24:37","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=1971"},"modified":"2016-09-30T02:49:08","modified_gmt":"2016-09-30T09:49:08","slug":"deprecating-non-secure-http","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/","title":{"rendered":"Deprecating Non-Secure HTTP"},"content":{"rendered":"<p>Today we are announcing our intent to phase out non-secure HTTP.<\/p>\n<p>There&#8217;s pretty broad agreement that HTTPS is the way forward for the web. \u00a0In recent months, there have been statements from <a title=\"Pervasive Monitoring Is an Attack\" href=\"https:\/\/tools.ietf.org\/html\/rfc7258\">IETF<\/a>, <a title=\"IAB Statement on Internet Confidentiality\" href=\"https:\/\/www.iab.org\/2014\/11\/14\/iab-statement-on-internet-confidentiality\/\">IAB<\/a> (even the <a title=\"Adopting Encryption: The Need for HTTPS\" href=\"http:\/\/www.iab.net\/iablog\/2015\/03\/adopting-encryption-the-need-for-https.html\">other IAB<\/a>), <a title=\"Securing the Web\" href=\"https:\/\/w3ctag.github.io\/web-https\/\">W3C<\/a>, and the <a title=\"The HTTPS-Only Standard\" href=\"https:\/\/https.cio.gov\/\">US Government<\/a> calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.<\/p>\n<p>After a <a title=\"Intent to deprecate: Insecure HTTP\" href=\"https:\/\/groups.google.com\/d\/topic\/mozilla.dev.platform\/xaGffxAM-hs\/discussion\">robust discussion<\/a> on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. \u00a0There are two broad elements of this plan:<\/p>\n<ol>\n<li>Setting a date after which all new features will be available only to secure websites<\/li>\n<li>Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users\u2019 security and privacy.<\/li>\n<\/ol>\n<p>For the first of these steps, the community will need to agree on a date, and a definition for what features are considered &#8220;new&#8221;. \u00a0For example, one definition of &#8220;new&#8221; could be &#8220;features that cannot be polyfilled&#8221;. \u00a0That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using &lt;canvas&gt;). \u00a0But it would still restrict qualitatively new features, such as access to new hardware capabilities.<\/p>\n<p>The second element of the plan will need to be driven by trade-offs between security and web compatibility. \u00a0Removing features from the non-secure web will likely cause some sites to break. \u00a0So we will have to monitor the degree of breakage and balance it with the security benefit. \u00a0We\u2019re also already considering softer limitations that can be placed on features when used by non-secure sites. \u00a0For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. \u00a0There have also been some proposals to limit the scope of non-secure cookies.<\/p>\n<p>It should be noted that this plan still allows for usage of the &#8220;http&#8221;\u00a0URI scheme in legacy content. With <a title=\"HTTP Strict Transport Security (HSTS)\" href=\"http:\/\/tools.ietf.org\/html\/rfc6797\">HSTS<\/a> and the <a title=\"Upgrade Insecure Requests\" href=\"http:\/\/www.w3.org\/TR\/upgrade-insecure-requests\/\">upgrade-insecure-requests<\/a>\u00a0CSP attribute, the &#8220;http&#8221; scheme can be automatically translated to &#8220;https&#8221; by the browser, and thus run securely.<\/p>\n<p>Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. \u00a0We expect to be making some proposals to the W3C WebAppSec Working Group soon.<\/p>\n<p>Thanks to the many people who participated in the mailing list discussion of this proposal. \u00a0Let\u2019s get the web secured!<\/p>\n<p>Richard Barnes,\u00a0Firefox Security Lead<\/p>\n<p><strong>Update (2015-05-01):<\/strong> Since there are some common threads in the comments,\u00a0we&#8217;ve put together a <a title=\"FAQ\" href=\"https:\/\/blog.mozilla.org\/security\/files\/2015\/05\/HTTPS-FAQ.pdf\" target=\"_blank\">FAQ document<\/a>\u00a0with thoughts on free certificates, self-signed certificates, and more.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today we are announcing our intent to phase out non-secure HTTP. There&#8217;s pretty broad agreement that HTTPS is the way forward for the web. \u00a0In recent months, there have been &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\">Read more<\/a><\/p>\n","protected":false},"author":998,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,45499],"tags":[],"coauthors":[282900],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Deprecating Non-Secure HTTP - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Richard Barnes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\",\"name\":\"Deprecating Non-Secure HTTP - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2015-04-30T22:24:37+00:00\",\"dateModified\":\"2016-09-30T09:49:08+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Deprecating Non-Secure HTTP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290\",\"name\":\"Richard Barnes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/6070530fd061c73fde0bc242f38e16cb\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g\",\"caption\":\"Richard Barnes\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Deprecating Non-Secure HTTP - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/","twitter_misc":{"Written by":"Richard Barnes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/","url":"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/","name":"Deprecating Non-Secure HTTP - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2015-04-30T22:24:37+00:00","dateModified":"2016-09-30T09:49:08+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Deprecating Non-Secure HTTP"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290","name":"Richard Barnes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/6070530fd061c73fde0bc242f38e16cb","url":"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g","caption":"Richard Barnes"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1971"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/998"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1971"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1971\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1971"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}