Mozilla today announced its intent to phase out non-secure HTTP, and that it will be making some proposals to the W3C WebAppSec Working Group soon. Specifically, the company says it is committed to “new development efforts on the secure web and to start removing capabilities from the non-secure web.”
Richard Barnes, Firefox’s security lead, emphasized the company needs to work with the broader Internet community to achieve this ambitious objective. “Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community,” Barnes said, and then outlined Mozilla’s two-fold plans, though details on how exactly Firefox will be affected are still unclear.
First, Mozilla is hoping to set a date after which all new browser features will be available only to secure websites. Barnes noted that the community sets the definition for what features are considered “new,” but the general gist is to only allow them for HTTPS sites.
Second, Mozilla wants to gradually phase out access to browser features for non-secure websites (especially those that pose risks to users’ security and privacy). This will naturally need to be driven by trade-offs between security and web compatibility, Barnes pointed out:
Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites.
Mozilla’s plans first came to light in a public discussion that started earlier this month, which noted that there have been statements from IETF, IAB, W3C, and the U.S. Government calling for universal use of encryption. Still, that was just a discussion.
Today, Mozilla has declared war on HTTP.