In this day and age, there are millions of Internet users benefiting from improved security on the web. Still, some fall prey to non-secure websites. As such Mozilla has initiated an action of phasing out non-secure HTTP from its browser.
Mozilla to phase out Non-Secure HTTP
Mozilla, today made an announcement that it is depreciating non-secure HTTP especially features of the non-secure websites that pose risks to users’ security and privacy. The browser-maker is in a way committing itself to focus on new developments on the web.
There are two broad elements of this plan:
- Setting a date after which all new features will be available only to secure websites
- Gradually phasing out access to browser features for non-secure websites.
“Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community,” wrote, Firefox security lead Richard Barnes in a blog.
Taking note of the statements from IETF, IAB, W3C, and the U.S. Government calling for universal use of encryption, Mozilla made this decision. While the early announcement hints of depreciating non-secure HTTP, it does not mean the complete removal of HTTP support from Firefox now.
It is a probably the first step in right direction. Mozilla is aware of the fact that it needs to give to webmasters and companies enough time for making the necessary changes to their web properties before features are removed for HTTP sites.
There are sites that might not upgraded to HTTPS since, even if certificates are available for free, it still requires time and the necessary infrastructure to execute plan of this scale. Moreover, it is quite a technical process that usually requires some troubleshooting on the site itself to get it right.
Google is already considering HTTPS as a ranking signal for its search results. Mozilla becomes the second company to take a step towards promoting HTTPS.
Mozilla already uses its own cert store so that if by DNS spoofing/proxying someone attempts MTM, any resolved pages won’t load; unfortunately, this seems to affect VPNs which have a search engine other than the one put in Mozilla’s browser store the first time you used it without VPN…this does not serve encryption issues by itself.
Odds for safety certainly improve where all connected-to sites must be encrypted, but will all sites have at least 256 AES…a number of prominent security sites have said up to 74% of sites vulnerable to the RC4-based “Heartbleed” attack are still so vulnerable. Then, how well do highly connection-secure sites police downloadable content…Google Store extension debacles come to mind.
Until all sites have the kind of security one can find in a good VPN, it’s no sure thing you’ll be absolutely safe via global encryption. Again, encryption is a good base to expand security, but to cold-turkey shut out non-https sites for Mozilla acting alone makes them a browser already lower in popularity which sites can ignore; citing in your article what sort of time/cash scale projects require, for now, for Google to promote better-financed https sites over others seems somehow a contribution to the erosion of net neutrality….especially hwen “better” sites remain vulnerable to the most publicized of simple attacks.
Thanks for a great article, and have a great weekend!