Mozilla wants to deprecate non-secure HTTP, will make proposals to W3C 'soon'

Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now

Mozilla today announced its intent to phase out non-secure HTTP, and that it will be making some proposals to the W3C WebAppSec Working Group soon. Specifically, the company says it is committed to “new development efforts on the secure web and to start removing capabilities from the non-secure web.”

Richard Barnes, Firefox’s security lead, emphasized the company needs to work with the broader Internet community to achieve this ambitious objective. “Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community,” Barnes said, and then outlined Mozilla’s two-fold plans, though details on how exactly Firefox will be affected are still unclear.

First, Mozilla is hoping to set a date after which all new browser features will be available only to secure websites. Barnes noted that the community sets the definition for what features are considered “new,” but the general gist is to only allow them for HTTPS sites.

Second, Mozilla wants to gradually phase out access to browser features for non-secure websites (especially those that pose risks to users’ security and privacy). This will naturally need to be driven by trade-offs between security and web compatibility, Barnes pointed out:

AI Scaling Hits Its Limits

Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:

Turning energy into a strategic advantage
Architecting efficient inference for real throughput gains
Unlocking competitive ROI with sustainable AI systems

Secure your spot to stay ahead: https://bit.ly/4mwGngO

Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites.

Mozilla’s plans first came to light in a public discussion that started earlier this month, which noted that there have been statements from IETF, IAB, W3C, and the U.S. Government calling for universal use of encryption. Still, that was just a discussion.

Today, Mozilla has declared war on HTTP.

Daily insights on business use cases with VB Daily

If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.

Read our Privacy Policy

Thanks for subscribing. Check out more VB newsletters here.

An error occured.

The insights you need without the noise