Mozilla developer plans to phase out http traffic support
Richard Barnes, a security engineer at Mozilla, has proposed to phase out support for unencrypted HTTP traffic. According to the software developer, http is too easy to tap and abuse, for example to carry out phishing attacks.
Barnes states in a posting to Google Groups that more and more internet organizations are proposing to ignore unencrypted http traffic and to opt for encrypted https traffic by default. To speed up this switch, the security engineer proposes to gradually ban http traffic in browsers such as Mozilla’s Firefox. This should improve the privacy of internet users and reduce attack methods by cyber criminals via http.
The software developer proposes a number of phases to speed up an internet-wide switch to https and to encourage web developers to choose https as the default. In the first phase, so-called privileged contexts must be defined, in which the minimum security level is described. The W3C is already working on that. In phase two, it must be determined when these privileged contexts will form the minimum basis for using new features in a browser such as Firefox.
In the third phase, it is determined that only traffic originating from https sites can access new features in the browser. For this, a date must be determined based on statistics that indicate the extent to which https is used on the internet. Barnes thinks that in the fourth phase, http has been renounced almost entirely.
Barnes wants to see with his proposal whether there is support among developers. The Mozilla developers’ discussion list mostly sounds like agreement, but it also describes potential problems. For example, almost all intranet sites are http-based and older devices do not always support secure https implementations. In addition, some websites report a drop in revenue from displaying advertising banners when switching to https.
Firefox supports http/2 by default since version 36. In this new protocol, encrypted connections form the basis. Browsers like Chrome are also moving in this direction. In addition, the costs for applying for an SSL certificate are falling, while more and more free options are now appearing.