[Rei Murasame]

The time has come:

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. There are two broad elements of this plan:

• 1. Setting a date after which all new features will be available only to secure websites
• 2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”. For example, one definition of “new” could be “features that cannot be polyfilled”. That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility. Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal. Let’s get the web secured!

Richard Barnes, Firefox Security Lead

It would appear that those who persisted in running non-secure HTTP sites (looking at you, PoFo admins) will soon have no choice whatsoever other than to get with the programme. Which is of course, a good thing.

[Zagadka]

Yay, making hosting a site more expensive!

[Rei Murasame]

Yes, that was one of the key arguments made by the 'nay' side, namely that the top down authority-driven approach would end up creating a kind of informal 'barrier to entry' or 'increased expense' based around I guess three areas:

• P1. Certain configurations of proprietary software that would require money to be spent to upgrade them (although I am not sure which circumstance this could occur in, someone would have to tell me).
  
  
• P2. Increased computational power required by servers for handling encryption, thus resulting in increased power consumption, which costs money.
  
  
• P3. Paying money to a Certificate Authority.

But my response to all of these in order would be:

• A1. I have no idea which proprietary software would ask you to pay for an upgrade to gain the ability to use encryption, I can only assume that this is hypothetical problem and should not be a real-world problem in 2015. Perhaps if this were 1995 it would be an argument, but surely not now. That stuff should be just standard. Also, why would anyone run oldschool proprietary hosting software anyway, and if someone were really in such a situation and knew ahead of time that this could happen, why have the costs of making the switch not already been factored into the budget? They would have factored that cost in, I think, because it was bound to happen eventually anyway.
  
  
• A2. Processors in servers in this era tend to have hardware support for the commonly-used encryption algorithms. This means that with hardware acceleration, the power consumption problem is completely mitigated and is not a problem at all.
  
  
• A3. The problem of paying money to a Certificate Authority is a valid issue, but that's why free CAs are being subsidised so that even if someone doesn't like paying for things, it's already been paid for by the sponsors and by donations.

So this is one of those things where at first it sounds ominous, but if you look at the situation then it's not really that ominous after all.

[Zagadka]

As a server admin and general nerd, I would like to see https become more widely used.

Unfortunately, we are seeing, especially in China and Russia, movements to break independent protocols and international routing in the first place. I don't know if Mozilla's 11% market share is enough to push complete widespread reliance on https.

[blackjack21]

We need IPSec and DNSSec too. Time to lock it down.

[Zagadka]

Sorry to break the news, but the general public use of the Internet is not going towards more security. As long as 80% of users don't know what HTTP is, you aren't going to gain much practical ground on other security fronts.

[Rei Murasame]

As a server admin and general nerd, I would like to see https become more widely used.

Unfortunately, we are seeing, especially in China and Russia, movements to break independent protocols and international routing in the first place.

That's true. A move which those kinds of people might make, is to basically move toward compromising Certificate Authorities and then running MITM attacks in that way. Another one that they could do is somehow forcing users to accept government certificates for the specific purpose of allowing the government to do MITM 'lawfully', similar to how admins on some corporate networks use the corporate certificate in that way, setting that certificate as an 'exception', and then doing MITM on everything 'with consent'.

That is one of those things where it's a legal challenge, since if the people in political authority can twist the user or vendor's arm into adding their certificates as exceptions with wildcards (functionally: creating a governmental CA and then having browsers accept the main cert of that CA, and then going MITM and presenting fake certificates on the fly which are signed by that governmental CA), then all security is immediately undone. China tried to do this with the CNNIC CA and was (thankfully) told to go fuck themselves by Google (I guess that was a bridge too far for them), and no doubt Russia will try the same kind of game in the future.

It's like cat and mouse.

I don't know if Mozilla's 11% market share is enough to push complete widespread reliance on https.

This is the other problem, yes. It's in a way unfortunate that Google Chrome has all the market share now, since Google seems to be much less interested in actually consistently advocating for security than Mozilla is.

[Zagadka]

The real problem is iOS, I think. It has such a huge market share and is in no way secure. The future, unfortunately, looks like it will be full of insecure independent devices sharing network data. The closest any idiot-user can get to understanding secure protocols is that there is a little lock icon next to the address (assuming that they can even locate the address bar).

The sad fact is that we still use protocols created decades ago, specifically because it is so hard to change. It was the story with Y2K, and no one has made things much better in other fields.

Google can go Bing itself.

[Ganeshas Rat]

It's an absolutely stupid idea. Must I use HTTPS for static site with two pages and dozen images? Also, what about HTTPS 2.0?

[Zagadka]

The idea is to remove even the option to not be secure, which is beyond most people.

HTTPS is a poor way to do it, though, given its significant drawbacks. Unfortunately, as I noted, implementing anything new can take a decade.

[Rei Murasame]

The real problem is iOS, I think. It has such a huge market share and is in no way secure. The future, unfortunately, looks like it will be full of insecure independent devices sharing network data.

I agree there too, iOS devices are basically weak on everything that everyone else is also weak on, in addition to also being an absolute gold mine of absurd vulnerabilities. In addition to that, iOS also has backdoors diagnostic services which have been added specifically to help governments get into your phone whenever they want.

This is even as Mac OS on the desktop continues to be an absolute shambles as well.

But Apple cultists would never know it, since they are too busy obsessing over 'blue bubbles vs. green bubbles'. Apple is really the absolute worst, and yet their smugness gives the impression that all is well, when all is absolutely not well with them.

[SpecialOlympian]

Will I still be able to mine bitcoins on my android?

[Igor Antunov]

Meh, my entire home network is now passing through encrypted VPN and a military grade wifi router. Also, apple software is a joke when it comes to security.

[distinct]

It isn't an issue if the device is only for entertainment purposes, but we need to protect the ignorant who only believe they're secure because they know no better.

Plus Rei's point about gov CAs. kudos. good to know.

[Rancid]

Fuck security. I have to be honest, I enjoy being watched.

[Saeko]

Someone's gonna have to explain all this to me using single-syllable words only.