Mozilla is looking to formally phase out websites that don’t rely on the secure SSL or TLS protocols, in a move that has ignited controversy amongst web developers.
“Today we are announcing our intent to phase out non-secure HTTP,” said Firefox security lead Richard Barnes in a blog post. “There’s pretty broad agreement that HTTPS is the way forward for the web.”
Barnes referred to recent statements by organisations including the US government calling for the universal use of encryption, and said that Mozilla will begin limiting the features offered to websites that don’t deploy it.
“Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web,” Barnes stated.
A key point will be to set a date by which all new features will be available only to encrypted websites, followed by a gradual phase-out of access to browser features that don’t use encryption, particularly “features that pose risks to users’ security and privacy”, Barnes said.
Firefox has backed the spread of web encryption through efforts such as Let’s Encrypt, which it co-sponsored last November, and which aims to provide free TLS certificates to any domain name owner, along with management tools.
However, a strategy that would phase out the browser features available to non-encrypted websites faces significant hurdles, primarily because, as Barnes acknowledged, it would mean that many websites would stop working properly.
“Removing features from the non-secure web will likely cause some sites to break,” he wrote. “So we will have to monitor the degree of breakage and balance it with the security benefit.”
The move would mean an inconvenience to many, since it would ultimately require anyone running a website or any kind to deploy encryption tools – something that remains complex, in spite of the existence of programmes such as Let’s Encrypt. The move would also mean that, for instance, a web application running or being tested on a company’s internal network would need to be encrypted in order to work properly in Firefox.
However, some developers have opposed the move in principle, since it would limit web publishing to those with the means to deploy encrypted websites.
That would seem to run against the values of the “Open Web” movement, of which Mozilla is a prominent advocate, according to developer Sven Slootweg, a backer of widespread encryption.
“I believe that this decision is harmful to the open web,” he wrote in a blog post. “Introducing forced TLS would create an imbalance between those who have the money and means to purchase a certificate (or potentially many certificates), and those who don’t… Isn’t the point of an ‘open web’ that the same features are available to everybody, regardless of financial means or other qualifications?”
He added that it would be wrong to shift developers toward universal web encryption when the mechanisms currently in place have “fundamental” weaknesses, as has been illustrated by recent security slip-ups involving major companies such as Microsoft and Google.
“There are fundamental problems with the way TLS is currently deployed in practice, problems that absolutely need solving before a forced global deployment of TLS can happen,” Slootweg wrote.
Mozilla argued the discussion should now focus on what features should be blocked for unencrypted websites, noting that some are already limited.
“Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website,” Barnes wrote. “There have also been some proposals to limit the scope of non-secure cookies.”
He added that the proposed phase-out is intended to “send a message” about security.
“The goal of this effort is to send a message to the web developer community that they need to be secure,” Barnes wrote.
Are you a security pro? Try our quiz!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…
View Comments
Maybe with idiots like this making decisions maybe its time to phase out Firefox. I for one don't want a browser then forces encryption on all sites. It slows the web down especially on lower powered machines and 1 M Bit or less bandwidth (major UK city fastest speed available.
Just another thought - how is it going to impinge on applications that use browsers locally to run an application using a built in server, will every user now need their own certificate to use it?
Mozilla fire this idiot before he destroys Firefox and the web,.