Breaking Web: Mozilla plans to deprecate non-secure HTTP

 

Mozilla plans to make fundamental changes to the Firefox web browser in regards to non-secure HTTP contents on the web.

 

According to a new post by Richard Barnes on the organization's security blog, Mozilla plans to make new features only available to secure websites in the future and phase out features for non-secure sites gradually as well.

The reason behind the decision is "a broad agreement that HTTPS is the way forward for the web".

The organization acknowledges that there will be trade-offs between security and web compatibility when features are blocked from running on HTTP sites.

While this does not mean -- yet -- that HTTP support is removed completely from Firefox, it is a first step in that direction.

So what does this mean for users and webmasters?

It is fair to say that there will be sites that won't be upgraded to HTTPS. Even if certificates are available for free, it still requires time and the necessary infrastructure to implement it.

While this may work on self-hosted servers and virtual servers, solutions like Lets Encrypt won't work for shared hosting accounts.

Most web hosting companies offer upgrades to make sites HTTPS but that comes at additional costs that not everyone is willing to commit to.

If you run a personal blog for instance or an informational site on a shared hosting account, you may not want to pay $20 or more per year extra just to keep it compatible with certain web browsers.

Webmasters who cannot afford to buy these certificates or install them for their sites -- it is still a technical process which usually requires quite some troubleshooting on the site itself to get it right -- will face an uphill battle against feature deprecation in future browser versions.

Internet users may benefit from improved security on the Web in the long run but they may as well run into websites that no longer work properly or at all due to feature deprecations which should raise the question if this is the best method to move the web towards using HTTPS.

Several commenters have already mentioned that they dislike Mozilla strong-arming webmasters by removing feature support for HTTP websites in the Firefox browser.

Closing Words

Mozilla is not the only organization that plans to do away with HTTP.  Google will mark non-HTTPS sites as insecure in Chrome in 2015 but that is far away from Mozilla's proposal to limit functionality of HTTP sites on the Internet.

The core idea behind the announcement on Mozilla's Security Blog is to give webmasters and companies enough time -- years -- to make the necessary changes to their web properties before features are removed for HTTP sites.

This could backfire big time especially if Mozilla's vision of an ideal Internet collides with reality.