The Mozilla Foundation is initiating the process to phase out insecure HTTP connections in the Firefox browser. The decision is part of a broader movement to encrypt the Web, which in the case of Mozilla Firefox, means permitting only encrypted HTTPS browser connections.
Mozilla is the developer of Firefox. It accounts for between 12 and 22 percent of the browser market share throughout its various versions. The group has not yet established a timeline for the deprecation of HTTP.
Firefox security lead Richard Barnes says the plan to implement full HTTPS enforcement in the browser consists of two broad steps. First, the group will select a date, after which new Firefox features will be available only to secure, HTTPS-enabled websites. The second step will be to begin making existing features incompatible with insecure, HTTP sites, particularly features with security and privacy implications.
Of course, it’s not altogether clear what constitutes a “new” feature, so Mozilla plans to work with its developer community to clearly define what a new feature is before settling on a hard date. Perhaps more complicated will be the decision to start cutting off existing features for HTTP connections. Mozilla acknowledges that it will need to strike a balance between securing and breaking websites, because cutting off HTTP access to critical features will necessarily have a deleterious effect on certain sites.
“We’re also already considering softer limitations that can be placed on features when used by non-secure sites,” said Barnes yesterday. “For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.”
The movement toward full SSL adoption on the Web is by no means new. However, revelations of vast, pervasive and unchecked National Security Agency spying on American citizens have lit a fire under the movement over the past few years. Google announced last year that it would grant search favor to sites deploying HTTPS. Earlier this month, the search giant announced it would begin forcing encryption on its ad services as well.
