A Mozilla security engineer, Richard Barnes, has proposed to slowly phase out support for unencrypted HTTP traffic. HTTP is too easy to eavesdrop on and can be too easily abused for e.g. phishing attacks, according to the software developers.
Barnes states in a post on Google Groups that more and more internet organizations propose to switch to the encrypted HTTPS standard by default and not support unencrypted HTTP anymore. To accelerate the switch, the security engineer proposes to start to slowly exclude HTTP traffic in browsers like Mozilla's Firefox. This has to improve privacy and lessen the available methods to cyber criminals that can be used to attack users.
The software developer proposes several stages to slowly accomplish an internet wide switch to HTTPS and to encourage web developers to use HTTPS by default. In the first stage so-called "privileged contexts" have to be defined. In the privileged contexts the minimal security level is described, something the W3C is currently working on. In the second stage it has to be determined when these privileged contents should become the minimal basis to use new features in browsers like Firefox.
In the third stage it has to be determined that only traffic originating from HTTPS sites provides access to new features in the browser. A date has to be picked, based on statistics, that shows how much HTTPS is used on the internet. Barnes hopes that in the fourth and last stage HTTP is nearly entirely renounced.
With his proposal, Barnes hopes to find out whether there's support for his idea. On Mozilla's developer discussion groups most agree, but also potential issues are discussed. An issue could be with intranet sites that are mainly all HTTP based and older devices which don't always support the safe HTTPS implementation. Some sites also report that they lose advertising revenues when they switch to HTTPS.
Firefox supports HTTP/2 since version 36. This new protocol is build upon encrypted connections. Also browsers like Chrome are taking the same path. It's also easier for websites to offer HTTPS, o costs of SSL certificates are decreasing. There are even free options to obtain such a certificate which are required by website owners in order to offer HTTPS access to their website.
