Mozilla Deprecating HTTP For A More Secure Web (Update: Mozilla Responds)

Over the past year or so, Google has begun a campaign to increase the security on the Web. The company promised to declare HTTP sites appearing in Chrome as non-secure in a multi-step process over the next few years. It has also started encouraging the use of HTTPS through its search engine.

Not to be outdone, Mozilla also announced recently that it is going to start a process for deprecating non-secure HTTP features in Firefox while building new features that can work only with secure HTTPS connections.

The company hasn't yet selected a date for when this process will begin. It hasn't selected the features it's going to deprecate or the "new" features it's going to support for HTTPS connections, either. Mozilla is asking the community to help it decide on all of these things and is expecting to make some proposals to the W3C WebAppSec Working Group soon.

Many didn't seem to like Mozilla's announcement. The complaints ranged from having to pay for digital certificates annually when they currently don't have to do it for their non-secure HTTP sites, to HTTPS making their sites slow, to simply thinking HTTPS is just not needed for certain categories of websites.

Mozilla has prepared some rebuttals for all of these criticisms, but it remains to be seen if this will convince the skeptics.

For one, Mozilla said that there are already free certificate solutions right now, such as StartSSL, WoSign and the upcoming EFF project "Let's Encrypt." Mozilla has even built a tool to help website owners properly configure their HTTPS settings for strong security.

When processors were slower and didn't have support for AES hardware encryption, HTTPS did indeed negatively impact site performance. However, these days, the overhead is tiny for most websites, and in some cases HTTPS sites using the new HTTP/2 protocol may load even faster than non-encrypted HTTP.

Many seem to think that their websites don't need HTTPS encryption because they don't have sensitive information, or anything that could become a major privacy breach for the user. However, according to Mozilla, HTTPS is not only about maintaining the privacy of the sites' visitors, but also about keeping the integrity of the website intact.

Without HTTPS, someone could modify what the visitors see on the website and make them believe that what they see comes from the website -- for instance, the way some Internet service providers inject advertising into their customers' traffic.

Recently, with the discovery of China's "Great Cannon" cyber-weapon, HTTPS has become a defensive tool against state censorship, too, as HTTPS is supposed to stop that type of attack.

Mozilla believes there are many other reasons that make HTTPS not just a nice-to-have tool, but a must-have one if we are to have a dragnet-free, censorship-free, and attack-free Web in the future. At the same time, Mozilla is also working on some other security technologies such as DANE or Certificate Transparency that could make HTTPS even better in the long run.

Update, 5/04/15, 2:52pm PST: We asked Mozilla to comment on the story and to help clarify some issues that may have been misunderstood. Richard Barnes, Firefox Security Lead at Mozilla responded:

TH: Can you further clarify when Mozilla will start deprecating HTTP, and when do you expect this to start having an impact on a significant portion of HTTP sites?

RB: "Transitioning the Web to HTTPS is going to take some time, so whatever a website does today it will still work for months or years. The first thing we're going to do is require HTTPS for new features. In the long run, there is some discussion of removing or limiting features that are currently available to unencrypted sites. Those changes will be announced well ahead of any implementation, so users will have time to update their site either to not rely on those features or, we hope, to move to HTTPS. In the short run, the impact on HTTP-only sites will only be that they will not get new features. In the longer run, say several months or a year out, they may begin to lose features if they don't upgrade. We hope that most sites will choose the upgrade path."

TH: Is Mozilla working on some other encryption technology that could replace HTTPS in the future (say something like blockchain technology embedded into Firefox)?

RB: “We believe that HTTPS and the Web PKI are a good foundation for the Web, but like any technology, they can always be improved. We are working on upgrading HTTPS to use the emerging TLS 1.3 standard for encryption, and we are continually improving the assurance that our root CA program provides. We don't have anything to say right now about longer term technologies, but if people have proposals, we would be happy to hear them."

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • PaulBags
    Unless they're going to force EV what's the point?
  • agnickolov
    HTTPS per se won't stop your ISP from injecting ads, etc. If your ISP manages to trick your computer into installing its own root CA (as part of an "ISP welcoming" package for example), they can easily generate certificates to their heart's content and inject anything they want into your streams. They didn't need to do that so far, but a global move to HTTPS may very well incentivize them to do so.

    The biggest detractor for HTTPS nowadays is not so much the encryption/decryption overhead (as the author rightly points out), but the latency incurred for establishing a new connection. First time loading a new site is even slower with HTTPS. Repeated use won't be affected, however.