# Mozilla announces the death of unencrypted HTTP



## lbft (May 1, 2015)

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

Mozilla has posted an announcement to their security blog that they are deprecating plain HTTP without encryption. They plan to do that by:



> Setting a date after which all new features will be available only to secure websites
> Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.


Presumably nothing will happen until after Let's Encrypt's free certs are available. Google's been leaning the same way for a while - the SPDY spec required SSL, for example, so I don't think anyone will be surprised if/when the Chrome guys make a similar announcement.

This has widespread ramifications for the industry - it breaks many filtering/proxying methods, it means shared hosts _must_ support SNI (and likely integrate Let's Encrypt), it means the end of accessing sites via IP address and it's going to make testing before deployment a pain in the ass.


----------



## telephone (May 1, 2015)

Well that's a huge push for Let's Encrypt. Let's hope it lives up to the hype  .

Personally I won't be happy with Mozilla's decision until another large player/vendor offers free SSL (not StartCom or WoSign).


----------



## Francisco (May 1, 2015)

Globalsign never did call me back even after scheduling a meeting. At this point it's pretty safe to say most CA's are scrambling to figure out WTF they're going to do with LE mere months away.



telephone said:


> Personally I won't be happy with Mozilla's decision until another large player/vendor offers free SSL (not StartCom or WoSign).


I don't see anyone else, besides cloudflare, doing it. MS might roll it out to their Azure users as a bonus but I don't see any other CA wanting to put up all the extra servers needed to handle all the requests and the bleed of whatever they do make. While Comodo is only charging ~$3.50/year each, it's still just selling a tiny bit of CPU time. There's no physical goods sold.

Francisco

Francisco


----------



## concerto49 (May 1, 2015)

Francisco said:


> Globalsign never did call me back even after scheduling a meeting. At this point it's pretty safe to say most CA's are scrambling to figure out WTF they're going to do with LE mere months away.
> 
> 
> Francisco


Or maybe people will stop using Mozilla  who knows.


----------



## lbft (May 1, 2015)

concerto49 said:


> Or maybe people will stop using Mozilla  who knows.


Let's Encrypt is cross-signed by a recognised CA so all existing browsers should accept its certs anyway - so life doesn't get any easier for the CAs in a world in which Firefox is dead.


----------



## dave (May 1, 2015)

Not everything needs to be encrypted, and websites are faster without it.  What they're doing is lame.


----------



## souen (May 1, 2015)

Having mixed thoughts about it. On one hand, It's a bold move on Mozilla's part, leveraging a large userbase to push for a pseudo-standard change. If Chrome or Safari throw in their weight, it may well be a done deal (which in itself may or may not be a good thing, but that's another discussion.) The sites that care most likely already have it, the sites that don't will scramble to avoid the bad publicity of being outdated or scaring off users with a insecure site warning on their browsers (like untrusted certs).

On the other, will it be a net advantage after all the trouble for all parties involved to transition? This is assuming SSL is still a secure model and that there's no evidence to suggest otherwise. 

That day may still be a long way off, there's no timeline yet.


----------



## KuJoe (May 1, 2015)

It doesn't look like they are forcing us to use HTTPS, only that newer features will not work on non-HTTPS websites. As long as they don't force HTTPS I'm fine with it.


----------



## KwiceroLTD (May 1, 2015)

Finally.


----------



## joepie91 (May 2, 2015)

KuJoe said:


> It doesn't look like they are forcing us to use HTTPS, only that newer features will not work on non-HTTPS websites. As long as they don't force HTTPS I'm fine with it.


From an "open web" perspective, that is absolutely "forcing", in the form of extortion. If you don't comply with this X, you won't get Y.

Anyhow, my take on this: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/

TL;DR This is a bad idea, and many things need to be fixed before this kind of step can realistically be taken.


----------



## sv01 (May 2, 2015)

I'd like to see a warning " Secure Connection Failed, please use another browser and use HTTPS instead" when I browse to my local dev web server.  opcorn:  opcorn:


----------



## souen (May 2, 2015)

joepie91 said:


> From an "open web" perspective, that is absolutely "forcing", in the form of extortion. If you don't comply with this X, you won't get Y.
> 
> Anyhow, my take on this: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-forced-ssl/
> 
> TL;DR This is a bad idea, and many things need to be fixed before this kind of step can realistically be taken.


This. My concern is that they may be making everyone use a broken system and hoping nothing happens to the root CAs. Maybe like their extensions signing announcement, it started with good intentions, but not sure if that's where it's headed.


----------



## River (May 3, 2015)

This is really interesting, I wonder how long they will phase in this new standard as many sites - specifically older sites - are not on a secure connection. It seems like a huge transition to make, and it seems like lots of people have some SSL certificates to install


----------



## tk-hassan (May 7, 2015)

It was always gonna happend some time.


----------



## SentinelTower (May 7, 2015)

I wonder what "features" they are talking about. Is it about the latests things like websocket and such or are we talking about basic tasks like displaying a web page ?

Anyone knows if it will be possible to generate certificates by submitting a CSR on Let's Encrypt or do we have to use their agent ?


----------



## Gang Starr (May 9, 2015)

I totally support this move but in my opinion it shouldn't be pushed too fast. Decrypted traffic is a issue nowadays with the NSA and the other guys and maybe even your mother  (hell back in the years it was on the old slow expensive Internet - oh god nostalgic memories).

On my servers I usually redirect all HTTP traffic to HTTPs only if HTTPS is available.


----------



## joepie91 (May 9, 2015)

SentinelTower said:


> I wonder what "features" they are talking about. Is it about the latests things like websocket and such or are we talking about basic tasks like displaying a web page ?
> 
> Anyone knows if it will be possible to generate certificates by submitting a CSR on Let's Encrypt or do we have to use their agent ?


The current proposal is to restrict _any_ new feature that cannot be polyfilled - _not_ just "security-sensitive" features. For example, had this been introduced a few years ago, you wouldn't have had the Shadow DOM or mutation observers - both of which are critical concepts in "frontend view engines" like Polymer, Angular 2.0, and other things built on the upcoming Web Components standard.

So yeah, this is a big deal - it's not just about hardware access. It's about _all_ new functionality. Some good suggestions were brought up in this Hacker News thread - personally, I'm a fan of getting rid of the "SSL warning" screens in browsers.


----------



## drmike (May 9, 2015)

Lots of breakage will ensue.

Unsure why Mozilla is picking this battle really.   Not innovating and slagging browser share, so let's adopt a flawed "privacy" approach to own a niche ideally.

I'm all for SSL-enabled everything, optionally and with graceful fallback.

Whole thing along with another "free" SSL initiative seems to be market destruction.  Hardly free economy based on consumer outcomes, but rather big money and weirdo interests doing unsound things.


----------



## QuadraNet_Adam (May 11, 2015)

I still remember when I used Firefox many years ago, but once I tried Chrome I never looked back 

Are there any updates about the development of Let's Encrypt?


----------



## tdale (May 12, 2015)

Chrome is dead Adam. I did the same and now im using FF for more things than Chrome now.



QuadraNet_Adam said:


> I still remember when I used Firefox many years ago, but once I tried Chrome I never looked back
> 
> Are there any updates about the development of Let's Encrypt?


----------



## joepie91 (May 12, 2015)

tdale said:


> Chrome is dead Adam. I did the same and now im using FF for more things than Chrome now.


Unfortunately, Firefox still doesn't seem to support process isolation for different tabs. That alone is enough reason for me not to use it.

I used it on somebody elses system for a few days while travelling, and all my tabs vanished _twice_ in two days. That's just not doable for me.


----------



## telephone (May 14, 2015)

tdale said:


> Chrome is dead Adam. I did the same and now im using FF for more things than Chrome now.


Enjoy having a pre-installed proprietary extension "Pocket". They've disabled their own "Reading List" to promote Pocket.

Link: https://blog.mozilla.org/futurereleases/2015/05/13/get-a-firefox-account-and-test-new-features-in-firefox-beta/

Here's what they said in the bug report:



> Until we understand how "Reading List" and Pocket may coexist, we will disable Reading List and the new Reading List Sync service


----------



## joepie91 (May 14, 2015)

telephone said:


> Enjoy having a pre-installed proprietary extension "Pocket". They've disabled their own "Reading List" to promote Pocket.
> 
> Link: https://blog.mozilla.org/futurereleases/2015/05/13/get-a-firefox-account-and-test-new-features-in-firefox-beta/
> 
> Here's what they said in the bug report:


Mozilla is increasingly going in a direction I don't like.


----------



## Onra Host (May 14, 2015)

Mozilla is simply betting on LE. If it works, their the first and will be the "innovators and leaders". If it fails... they simply go back to support HTTP.


----------



## SentinelTower (May 17, 2015)

joepie91 said:


> Unfortunately, Firefox still doesn't seem to support process isolation for different tabs. That alone is enough reason for me not to use it.
> 
> I used it on somebody elses system for a few days while travelling, and all my tabs vanished _twice_ in two days. That's just not doable for me.


I second that. I like Firefox, I use it as my main browser but when a tab hangs and the whole thing freezes this is so frustrating.


----------



## raindog308 (May 17, 2015)

My home PC only has 32GB of RAM so I don't have the resources to run Firefox alas.


----------



## tmzVPS-Daniel (May 17, 2015)

If you guys are not using Chrome or FF, what are you using? 

- Daniel


----------



## William (May 17, 2015)

Chrome for Netflix/Video, Firefox for browsing - Both use a lot of ram (each 1GB+) but with 12GB+ that becomes a non-issue.


----------

