Deprecating Non-Secure HTTP

One of the biggest weaknesses of the Internet, in my opinion, is the fact secure connections aren’t the default. E-mail servers often don’t transmit messages to other e-mail server over secure connections. Many Jabber servers don’t utilize secure connections to other servers they’re federated with. Even the protocol most of us deal with multiple times on a daily basis to interact with web servers, the hypertext transport protocol (HTTP), isn’t secure by default. This lack of security has been a boon for national spy agencies such as the National Security Agency (NSA) and the Government Communications Headquarters (GCHQ). Even private businesses have been exploiting the lack of secure HTTP connections so they can better spy on their customers for advertising purposes. At this point it’s clear that non-secure Internet connections need to die.

To this end Mozilla, the developer of Firefox, has announced its plan to depricate non-secure HTTP:

Today we are announcing our intent to phase out non-secure HTTP.

There‚Äôs pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.

This could be a huge move in the right direction. If every major browser deprecated non-secure HTTP it would force web servers to make secure connections available by default or lose users. More importantly, in my opinion, is that getting rid of non-secure HTTP would also eliminate the what’s encrypted guessing game. Many websites only utilize a secure connection for specific actions such as logging into an account or sending credit card data. Other interactions with the web server are done over a non-secure connection. That guessing game can make users believe that they’re connection is secure even though it isn’t.

Deprecating non-secure HTTP isn’t a straight forward move. Enabling transport layer security (TLS) isn’t as simple as flipping a switch. You need to obtain a keypair signed by an authority that major browsers trust, load them on the web server, and ensure those keys aren’t compromised. Administrators also have to keep up on recent security news so they can reconfigure their server when new exploits are discovered. Managing certificates could become much easier if Let’s Encrypt gains traction. Ensuring broken TLS protocols and features aren’t being used is a more difficult task but one that will likely be made easier as more sites move towards TLS. With that said, deprecating non-secure HTTP must be done regardless of the challenges involved.