Mozilla wants to deprecate HTTP sites to force move to secure web
If Mozilla gets its way, the internet will soon be torn in two. One web will have full functionality and be delivered over HTTPS; and the other, non-secure web, will slowly decrease in its usefulness.
However, Mozilla will not be able to achieve this state of affairs on its own, and said it will be taking its ideas to the W3C WebAppSec Working Group.
"Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community," said Firefox security lead Richard Barnes in a blog post.
According to Barnes, Mozilla's plan is to set a date after which new features are only available to HTTPS sites, and then gradually phase out browser features for HTTP sites.
"For example, one definition of 'new' could be 'features that cannot be polyfilled'," Barnes said.
"That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (eg, using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities."
Barnes said that removing existing features would cause site breakage, and a balance would need to be determined between security and web compatibility.
"We're also already considering softer limitations that can be placed on features when used by non-secure sites," he said. "For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website.
"There have also been some proposals to limit the scope of non-secure cookies."
Last month, Firefox had to issue a fix for its opportunistic encryption after it was discovered that SSL certification verification could be bypassed via header manipulation.