Mozilla has decided to take the bull by the horns and redefine web encryption standards by planning to phase out non-secure HTTP. When HTTP is used by websites, any information passed back and forth whilst browsing online is unencrypted and Mozilla see this as something that they can change..
http-https-Richard Barnes, Firefox Security Lead stated the following “There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.”

Richard also said “After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.” Mozilla plan on offering new features to secure websites ensuring that users are not exposed to security and privacy risks. This will be done by a date yet to be agreed along with what will be defined as new features.” Richard clarified this in more detail stating “The community will need to agree on a date, and a definition for what features are considered “new”. For example, one definition of “new” could be “features that cannot be polyfilled”. That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.”

When it comes to compatibility with older non secure websites, Richard claims “Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.”

Will other browsers such as Google Chrome, Internet Explorer and Safari follow suit? Only time will tell.

Pin It on Pinterest

Share This