Mozilla encryption initiative will phase out HTTP

News by Ava Fedorov

A new Mozilla initiative aiming to clean up the browser's network will push websites to use HTTPS, phasing out insecure HTTP connections. Part of a broader movement to encrypt the web, Mozilla will bar insecure websites from access to new hardware features and possibly even revoke existing tools, though which tools and features are still under debate, according to online news sources.

"Removing features from the non-secure web will likely cause some sites to break so we will have to monitor the degree of breakage and balance it with the security benefit,” Mozilla security chief Richard Barnes commented in a blog post.

Mozilla's Firefox, the browser of choice for a quarter of global internet users, plans to give plenty of notice to developers before revoking features, and is likely to soften the blow by limiting feature abilities before an outright block. Some HTTP content might even still be functional, due to security features such as HSTS.

“This plan still allows for usage of the HTTP URI scheme in legacy content,” Barnes noted. “With HSTS and the upgrade-insecure-requests CSP attribute, the HTTP scheme can be automatically translated to HTTPS by the browser, and thus run securely."

The effective date still remains undecided though the company told news sources it will be submitting proposals to the W3C WebAppSec Working Group “soon.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews