Mozilla says HTTPS is the way forward for the Web

Credit: Wikipedia

The web developer community can hear a rallying cry loud and clear :Let's hear it for web security. Mozilla, the group behind the browser Firefox, is turning up the volume by saying enough's enough with non-secure HTTP. The Foundation has taken a move in order to protect users from snoopers.

HTTP stands for , used for web data exchange. Mozilla is instead opting for the encrypted version, HTTPS, providing better .

A security lead and his colleague at Mozilla said a beginning step in that direction should be, according to their draft document, to make it less appealing to deploy new things over non-secure HTTP, so as to create incentives for HTTPS adoption. Fortune carried a link to the draft document titled "Insecure HTTP Deprecation Plan."

Fortune said about 30 percent of Internet traffic in North America is protected with HTTPS but Sandvine, a networking equipment company in Canada, has a report that over half the world's traffic will be secured by encryption by the end of the year.

In a blog post on April 30 titled "Deprecating Non-Secure HTTP," Mozilla announced its intent to phase it out. Certainly Mozilla is not alone in calling out the need for encryption. "In recent months," wrote Richard Barnes, Firefox Security Lead in the blog post, "there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS."

Moving forward, Mozilla has a two-step plan: Set a date after which all new features will be available only to secure websites and gradually phase out access to browser features for non-secure websites, especially features that pose risks to users' security and privacy.

At the same time, the Mozilla move "still allows for usage of the 'http' URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the 'http' scheme can be automatically translated to '' by the browser, and thus run securely."

To be sure, some web developers will want to know just how the move will affect their unencrypted sites and when. In a FAQ document, Mozilla's answer is "Transitioning the to HTTPS is going to take some time. The first thing we're going to do is require HTTPS for new features." They also explained that in the long run, any changes such as removing or limiting features currently available to unencrypted sites "will be announced well ahead of any change, so you'll have time to update your site either to not rely on those features or, we hope, to move to HTTPS."

Also, anticipating there will be those who say "But there's nothing secret on my site! Why should I bother with encryption?" Mozilla's answer is, "HTTPS isn't just about encryption. It also provides integrity, so your site can't be modified, and authentication, so users know they're connecting to you and not some attacker."

Explore further

Let's Encrypt certificate authority to launch 2015

More information: Mozilla blog: … ing-non-secure-http/

© 2015 Tech Xplore

Citation: Mozilla says HTTPS is the way forward for the Web (2015, May 4) retrieved 21 September 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

May 05, 2015
Well, if Mozilla wants to pay the extra fees my website provider charges for that I'll be happy to use it but since there is nothing on my site of any use to a hacker or any log in type stuff I really don't see the point.
I see hacker attempts on it all the time in my record files but they are all people trying to break into wordpress software of which there is none on my website. It's all simple straight html which the idiots would see if they would just look at the listings first... not worth wasting their time over.

May 05, 2015
but since there is nothing on my site of any use to a hacker or any log in type stuff I really don't see the point.

Unsecured connections allow for attackers to interject your site traffic. They can spoof a person's browser to serve content that seems to be coming from your site, but in reality contains something malicious like a trojan or a virus.

This may happen for example, sitting in a net cafe where the attacker is sitting in the network gateway and listening in to traffic, able to intercept and modify packages. With a secured connection, they'd need to decrypt it first before they can successfully pretend to be your website.

May 11, 2015
Eikka sounds like a Firefox troll; I wonder if 24volts is too?

May 11, 2015
Whao!! Mozilla must have hired Captain Obvious.

Awesome article too! Who would have told that HTTP does not actually stnad for "Handme The Tea Pot!"

May 27, 2015
Eikka sounds like a Firefox troll; I wonder if 24volts is too?

Not I'm not but I didn't know about the stuff Eikka was talking about either. I'm going to look into the subject now and then decide if it's worth it to me.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more