Mozilla Moving Toward Full HTTPS Enforcement in Firefox

The Mozilla Foundation announced yesterday that it is in the process making HTTP connections incompatible with its popular Firefox Web browser.

The Mozilla Foundation is initiating the process to phase out insecure HTTP connections in the Firefox browser. The decision is part of a broader movement to encrypt the Web, which in the case of Mozilla Firefox, means permitting only encrypted HTTPS browser connections.

Mozilla is the developer of Firefox. It accounts for between 12 and 22 percent of the browser market share throughout its various versions. The group has not yet established a timeline for the deprecation of HTTP.

Firefox security lead Richard Barnes says the plan to implement full HTTPS enforcement in the browser consists of two broad steps. First, the group will select a date, after which new Firefox features will be available only to secure, HTTPS-enabled websites. The second step will be to begin making existing features incompatible with insecure, HTTP sites, particularly features with security and privacy implications.

Of course, it’s not altogether clear what constitutes a “new” feature, so Mozilla plans to work with its developer community to clearly define what a new feature is before settling on a hard date. Perhaps more complicated will be the decision to start cutting off existing features for HTTP connections. Mozilla acknowledges that it will need to strike a balance between securing and breaking websites, because cutting off HTTP access to critical features will necessarily have a deleterious effect on certain sites.

“We’re also already considering softer limitations that can be placed on features when used by non-secure sites,” said Barnes yesterday. “For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.¬† There have also been some proposals to limit the scope of non-secure cookies.”

The movement toward full SSL adoption on the Web is by no means new. However, revelations of vast, pervasive and unchecked National Security Agency spying on American citizens have lit a fire under the movement over the past few years. Google announced last year that it would grant search favor to sites deploying HTTPS. Earlier this month, the search giant announced it would begin forcing encryption on its ad services as well.

Suggested articles


  • Briuan M on

    What a blithering idiot Richard Barnes is! The choice of HTTP or HTTPS should be up to the user and web site owners not to little upstarts like this! We are getting way too many of these little dictators in the industry, who have no idea the harm this does to those of us on low speed connections, and to be honest on most sites who cares about security. Even worse encrypting everything actually increase the risk of the bad guys breaking into your system, they have much more known data to analyse.
  • Lee on

    Firefox: The more they dictate, the more irrelevant they become. I decide what is best for me, not mozilla, not the "state", not Google, not barry sotoro, the babble candidate. Hey Mozilla: Stick it!
  • Wayne Manners on

    Yeah this is ridiculus! I'm JUST finally figuring out how to use "ssh" instead of telnet and now they want to kill off plain text http?!?!? INSANITY!
    • Jb on

      Wayne, "just now" starting to use ssh instead of telnet? Wow, lucky no one has recorded your comms before today. Oh wait. They did. You're about 15 years late.
  • MaryAnn on

    I stopped using Mozilla after they ousted their CEO for having supported a marriage in between a man and woman as opposed to the homosexual marriage supported by Mozilla.
  • StygianAgent on

    Ok... so what does this mean for the Tor-Browser that utilizes Firefox as it's core? Does Firefox's staff actually think that they'll be able to dictate the construction of DarkNet infrastructure? I think the opposite will happen. I think this will lead the Tor Community to find an alternative to Firefox as the core of the Tor Browser Bundle. IMHO, Firefox has become what it's creators set out in the beginning to destroy. It's now more bloated than IE, and could be considered one of the slowest browsers on a modern PC, although really, it's hard to benchmark any of them anymore with how gunked up with plugins most browsers are today. Personally, I prefer to keep it simple and use Chromium with 4 extensions: Proxy-Switchy-Sharp, Email-This-Page, Clear Cache, and JSOFF (a toggle for jscript). This works very well for my needs, though some might go further for even stronger anonymity. Compared to the most recent Tor Browser Bundle, my chromium based solution works about 20%-40% faster overall, and from what I've been able to discern by screening my own traffic, it's no less safe. Of course, a large part of the warnings related to using alternatives to the TorBrowser bundle are founded on the fact that most people don't own several of their own DNS servers (unlike myself, where I have 3 internal and 2 external DNS servers) and an IPS configured to isolate all traffic stemming from the workstation's entire CIDR/segment to eliminate any direct communications between end-point workstations and remote addressing services used and logged by their ISP. It's a lot easier to be untraceable when you don't use your ISP's DNS at all.
  • Pat on

    I can't decide if the above commenters are snark or just odd. But I am glad Mozilla is forcing an encrypted web.
  • Jb on

    Encrypting the Web is a start. Next, how about encrypting ALL communication between mail servers, which might be the beginning of the end for spam?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.