Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Considers Phasing Out Unencrypted HTTP

posted by CoolHand on Wednesday April 15 2015, @04:52AM   Printer-friendly
from the it's-the-end-of-the-web-as-we-know-it-and-i-feel-fine dept.

Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.

Richard Barnes of Mozilla writes:

In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.

See also this document outlining the initial plans.

 
This discussion has been archived. No new comments can be posted.
Mozilla Considers Phasing Out Unencrypted HTTP | Log In/Create an Account | Top | 100 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by Anonymous Coward on Wednesday April 15 2015, @07:21AM

    by Anonymous Coward on Wednesday April 15 2015, @07:21AM (#170820)

    With http, you can serve thousands of domains from one IP address. The Host: header in the http protocol tells the server which site you want.

    With https, the encryption is started before the Host: header is transmitted, thus the correct certificate needs to be selected without knowing the Host: header. This limits you to to one domain per IP address, thus switching everything to https would require at least an order of magnitude more IP addresses.

    There is a newer protocol that tries to solve this (SNI). But as long as anyone still uses Internet Explorer, it's not going to be of any use. Microsoft kinda tried to implement it, but somehow made it not a part of the update to Internet Explorer, so you'll only get it if you love Windows Tablet Edition (aka Windows 8).

    Starting Score:    0  points
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 2) by gnuman on Wednesday April 15 2015, @04:05PM

    by gnuman (5013) on Wednesday April 15 2015, @04:05PM (#171031)

    There is a newer protocol that tries to solve this (SNI). But as long as anyone still uses Internet Explorer

    IE supports SNI.

    http://en.wikipedia.org/wiki/Server_Name_Indication#No_support [wikipedia.org]

    So if you are not using IE 6 on XP, you are probably just fine.