nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Finally, Mozilla looks at moving away from 'insecure' HTTP. Maybe

HTTPS is the future, says security engineer, to the surprise of nobody

By Alexander J Martin, 15 Apr 2015

Calls to finally move away from HTTP and on to HTTPS are, like grumbles to oust an aging dictator, finding themselves encouraged by the public square/echo chamber of Mozilla's developers' platform.

Posting to the Mozilla dev platform, security engineer Richard Barnes said: "In recent months, there have been statements from IETF, IAB, W3C and even the US Government calling for universal use of encryption, which in the case of the web means HTTPS."

Back in the heady youth of the web, HTTPS was the black tie of protocols, worn only for fancy payment transactions.

Within the last ten years, however, it has been implemented for a wide range of security applications, including page authenticity and ensuring basic communications security.

Barnes added: "In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts."

"Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over — it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security," said Barnes.

With a couple of thousand words already being racked up in the Mozilla man's thread, the deprecation plan for HTTP – written with Martin Thomson – seems to have established "whether there is support in the Mozilla community for a plan of this general form".

"Developing a precise plan will require co-ordination with the broader web community (other browsers, websites, etc.), and will probably happen in the W3C," acknowledged Barnes.

W3C has a Technical Architecture Group (TAG) who are sort-of chartered researchers. It published its findings into Securing the Web on 22 January, which are not too different from those of Barnes. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing