04 May 2015

Mozilla Security Blog: “Deprecating Non-Secure HTTP”

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.
Richard Barnes

I’ve been critical of ’s decision to give better ranking to secure websites and all the points covered there apply here as well. What Mozilla is proposing is much, much worse: at some point in the future, you will no longer be able to access HTTP-only websites in ! This will effectively cut out a large portion of the Internet, removing legacy content from the public eye.

The alternative (everybody switches HTTPS on) is in no way better: just a month ago Google and Mozilla decided to revoke security certificates from a Chinese authority, making it impossible for people to access sites using those certificates. What will stop them from censoring content they do not want people seeing, like Apple’s Safari blocking Microsoft sites? What will stop governments from banning certificates issued outside their country, blocking information from the rest of the world? A HTTPS-only Internet effectively gives control over the online space to browser vendors and companies issuing security certificates. Is that the ‘open web’ that Mozilla is supposed to promote?

Some more thoughts on this:

  • As someone who has long advocated the righteousness of fully-encrypted Internet communications, I find the attitude being expressed over at Mozilla to be infuriating, because while the end goal is laudable, the approach is indeed arrogant and almost religious in its fervor, and in its refusal to acknowledge the problems with which the “little guys” on the Net have to deal with every day.

    Lauren Weinstein
  • In conclusion; no, TLS certificates are not really free. Introducing forced TLS would create an imbalance between those who have the money and means to purchase a certificate (or potentially many certificates), and those who don't - all the while promoting a cryptosystem as being 'secure' when there are known problems with it. This is directly counter to an open web.

    There are plenty of problems with TLS that need to be fixed before pressuring people to use it. Let's start with that first.

    Sven Slootweg

Post a Comment