While encrypted connections via HTTPS have been used in browsers for a very long time, they’re often not the default connection. Mozilla, along with a number of organizations and even the U.S. government, would like to see only HTTPS connections used. This wouldn’t magically make the Internet entirely secure, but it certainly wouldn’t hurt.
Mozilla outlined its plan to eventually move to only using secure connections in a blog post yesterday. Simply urging website owners to switch to HTTPS isn’t going to be enough to get every website to adopt secure connections, so Mozilla has another tactic in mind: holding new features hostage.
Mozilla plans to eventually only offer new browser features on sites using HTTPS connections. Firefox security lead Richard Barnes outlines the plan in two broad steps: “Setting a date after which all new features will be available only to secure websites,” and “gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.”
The second element is the more interesting of the two, as it means that eventually features in Firefox will no longer be available to sites not using HTTP connections. Barnes even points out in the blog post that “removing features from the non-secure web will likely cause some sites to break.”
Fortunately, this doesn’t mean that your favorite old website will no longer be available. Mozilla plans to “monitor the degree of breakage and balance it with the security benefit.”
This is already happening, at least to some extent. Firefox currently limits the extent of camera and microphone access on non-secure websites, and Barnes points to this as a model for future feature limitations.
For a more technical take on the story for those so inclined, see the related post on the Mozilla blog.
