mozilla

It’s HTTPS or bust for Firefox – Mozilla – Deprecating Non-Secure HTTP

Security 11 May , 2015  

Buffer

Mozilla’s plan to compel the use of encryption by default in Firefox faces backlash from Web developers.

Mozilla is on a mission to make encryption on the Web ubiquitous, but the cost could prove too high to pay. In a blog post made last week, Firefox Security Lead Richard Barnes declared that Mozilla would be “setting a date after which all new features [in Firefox] will be available only to secure websites.”

Without a secure connection, some features in Firefox would be disabled entirely, “especially features that pose risks to users’ security and privacy.”

 

After a robust discussion , Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

 

The date in question hasn’t been set, and debate still lingers about the feature set, especially what constitutes a “new” feature. Barnes noted this could mean “features that cannot be polyfilled”– features that couldn’t be emulated by way of JavaScript shims. This might include “access to new hardware capabilities,” such as future varieties of sensors not yet exposed through HTML5 APIs.

 

Why embark on such a radical plan? Mozilla’s recent history provides a broad hint.Back in November, Mozilla announced co-sponsorship of a certificate authority,Let’s Encrypt. But even with a solution like Let’s Encrypt readily available, developers would need a lot of concessions before they would feel comfortable with it. Hope to have best from Mozilla.

, , ,