By Matthew Broersma
Mozilla is looking to formally phase out Websites that don’t rely on the secure SSL or TLS protocols, in a move that has ignited controversy amongst Web developers.
“Today we are announcing our intent to phase out non-secure HTTP,” said Firefox security lead Richard Barnes in a blog post. “There’s pretty broad agreement that HTTPS is the way forward for the Web.”
HTTPS, or HTTP Secure, refers to Websites that use the Web’s standard hypertext transfer protocol, or HTTP, in combination with the SSL or TLS encryption techniques.
Barnes referred to recent statements by organizations including the U.S. government calling for the universal use of encryption, and said that Mozilla will begin limiting the features offered to Websites that don’t deploy it.
“Mozilla is committing to focus new development efforts on the secure Web, and start removing capabilities from the non-secure Web,” Barnes stated.
A key point will be to set a date by which all new features will be available only to encrypted Websites, followed by a gradual phase-out of access to browser features that don’t use encryption, particularly “features that pose risks to users’ security and privacy,” Barnes said.
Firefox has backed the spread of Web encryption through efforts such as Let’s Encrypt, which it co-sponsored last November, and which aims to provide free TLS certificates to any domain name owner, along with management tools.
However, a strategy that would phase out the browser features available to non-encrypted Websites faces significant hurdles, primarily because, as Barnes acknowledged, it would mean that many Websites would stop working properly.
“Removing features from the non-secure Web will likely cause some sites to break,” he wrote. “So we will have to monitor the degree of breakage and balance it with the security benefit.”
The move would mean an inconvenience to many, since it would ultimately require anyone running a Website or any kind to deploy encryption tools—something that remains complex, in spite of the existence of programs such as Let’s Encrypt. The move would also mean that, for instance, a Web application running or being tested on a company’s internal network would need to be encrypted in order to work properly in Firefox.
However, some developers have opposed the move in principle, since it would limit Web publishing to those with the means to deploy encrypted Websites.
That would seem to run against the values of the “Open Web” movement, of which Mozilla is a prominent advocate, according to developer Sven Slootweg, a backer of widespread encryption.
“I believe that this decision is harmful to the open Web,” he wrote in a blog post. “Introducing forced TLS would create an imbalance between those who have the money and means to purchase a certificate (or potentially many certificates), and those who don’t… Isn’t the point of an ‘open Web’ that the same features are available to everybody, regardless of financial means or other qualifications?”
He added that it would be wrong to shift developers toward universal Web encryption when the mechanisms currently in place have “fundamental” weaknesses, as has been illustrated by recent security slip-ups involving major companies such as Microsoft and Google.
“There are fundamental problems with the way TLS is currently deployed in practice, problems that absolutely need solving before a forced global deployment of TLS can happen,” Slootweg wrote.
Mozilla argued the discussion should now focus on what features should be blocked for unencrypted Websites, noting that some are already limited.
“Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure Website,” Barnes wrote. “There have also been some proposals to limit the scope of non-secure cookies.”
He added that the proposed phase-out is intended to “send a message” about security.
“The goal of this effort is to send a message to the Web developer community that they need to be secure,” Barnes wrote.