Mozilla is officially deprecating plain HTTP

[colonel_mortis]

Source: The Mozilla Security blog
 
Mozilla has announced that they are deprecating plain HTTP requests in favour of all sites using encrypted connections (HTTPS). Don't worry, your HTTP site will continue to work for a very long time yet though.
 

Today we are announcing our intent to phase out non-secure HTTP.
There’s pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.
After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web.  There are two broad elements of this plan:

• Setting a date after which all new features will be available only to secure websites
• Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

The first phase of the deprecation procedure will be that certain new browser features will only be available to sites which are connected over HTTPS. This will only affect features that have not been added yet, and I believe that it will only affect features that could present a security risk.
After a while, they will then remove some features which present a security risk. For example, websites can currently only request to always be able to access your microphone if they are loaded over HTTPS to reduce the damage that can be caused by attackers who have hijacked your site, which the users trust, to obtain information that they should not be able to access. They have said that they will give plenty of notice so that website owners can fix their site, and they will try to only remove features that present a more serious threat.
 
Their FAQ makes a lot of good points about why it's necessary and why it shouldn't be an issue for webmasters:

Q. Why are you forcing me to buy a certificate?  Isn’t this hard on small sites?
If you want to use HTTPS, you’ll have to get a certificate.  That doesn’t mean you have to buy one though!  There are multiple free certificate providers in the market right now (e.g., StartSSL​, ​WoSign, and soon ​Let’s Encrypt​).  Some web platforms will provide you a certificate for free (e.g., ​Cloudflare​).  For those who prefer to run their own server, Mozilla already offers an ​HTTPS configuration generator​.

Q. Won’t HTTPS make my site slower?
HTTPS is basically HTTP plus encryption, so the cost of doing HTTPS is non­zero.  However, on modern platforms, it is ​very, very small​. For many websites, encryption will actually be a gateway to ​better​​performance.  HTTP/2 offers ​significant​ ​performance improvements​ over HTTP/1.1, and in all current browsers it is only available for encrypted sites.
 
Q. What about development/corporate environments?
You’ll be able to configure the browser to work for these cases.  The notion of “secure” enforced by the browser in this case will be the one defined by the W3C’s ​Privileged Contexts specification, which we expect will have a provision for local policy ­­ that is, for the user to configure a certain context as explicitly trusted.  Combine that with the existing mechanisms for adding trusted roots, and it should be straightforward for a developer or IT guy to set up a secure environment, ​like Mozilla does​.

Q. But there's nothing secret on my site! Why should I bother with encryption?
HTTPS isn’t just about encryption.  It also provides integrity, so your site can’t be modified, and authentication, so users know they’re connecting to you and not some attacker.  Lacking any one of these three properties can cause problems.  Better use of security would prevent:

• Comcast injecting ads into their customers’ web traffic​;
• AT&T tracking their users’ browsing habits​; and
• The “Great Cannon of China” knocking Github offline​.

In other words, as long as your site is not secure, it can be used as a weapon against your users and against other web sites.  More non­secure sites means more risk for the overall Web.

 

The HTTP/2 specification is fully out now, and supported by Firefox and Chrome (as well as IE in Windows 10), but only over HTTPS. The web was already moving towards encryption, and this change by Mozilla was going to happen at some point.

 

---

 

Personally, I think this change is for the better. Most websites already support HTTPS, and even if a site doesn't support it, it will still be able to function, though in a slightly limited capacity. By making HTTPS strongly recommended, hopefully the sites that don't use HTTPS for sensitive information transfer (usually due to laziness) will get their act together. There are a lot of sites which transmit password details in plain text for some reason, and a lot more that are mostly secure, but have minor flaws that can be exploited by an attacker if they wish to (eg. by editing the website when it's loaded over HTTP so that passwords are sent over HTTP, allowing them to be viewed by the attacker). HTTPS will solve all of these issues.

Encryption will also make people much less prone to less dangerous Man-in-the-Middle attacks, such as ISP ad injection, which is always a good thing.

Hopefully the other browsers follow Mozilla in deprecating HTTP, and most websites switch to only using HTTPS.

[Paralectic]

Ironic knowing https is as leak as can be too.

[KarmaMuscle]

I think this is an excellent development. I have used a plugin for a long time that forces HTTPS when I go to websites.

[colonel_mortis]

Ironic knowing https is as leak as can be too.

HTTPS is a massive amount better than HTTP, and there are no known exploits that affect all versions of HTTPS (heartbleed only affected OpenSSL, and it didn't nullify the security that HTTPS gave; the other vulnerabilities that I am aware of also only affect specific configurations, and only when very old and deprecated cipher suites are used).

[azurezeed]

good, this had to happen at some point

[Fetzie]

Ironic knowing https is as leak as can be too.

 

A lot less leaky than http though.

[elfensky]

Between somewhat filtered water and not filtered at all, I'll always choose the at least slightly filtered. Same for HTTPS/HTTP debacle.