Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now
Mozilla today announced its intent to phase out non-secure HTTP, and that it will be making some proposals to the W3C WebAppSec Working Group soon. Specifically, the company says it is committed to “new development efforts on the secure web and to start removing capabilities from the non-secure web.”
Richard Barnes, Firefox’s security lead, emphasized the company needs to work with the broader Internet community to achieve this ambitious objective. “Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community,” Barnes said, and then outlined Mozilla’s two-fold plans, though details on how exactly Firefox will be affected are still unclear.
First, Mozilla is hoping to set a date after which all new browser features will be available only to secure websites. Barnes noted that the community sets the definition for what features are considered “new,” but the general gist is to only allow them for HTTPS sites.
Second, Mozilla wants to gradually phase out access to browser features for non-secure websites (especially those that pose risks to users’ security and privacy). This will naturally need to be driven by trade-offs between security and web compatibility, Barnes pointed out:
AI Scaling Hits Its Limits
Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:
- Turning energy into a strategic advantage
- Architecting efficient inference for real throughput gains
- Unlocking competitive ROI with sustainable AI systems
Secure your spot to stay ahead: https://bit.ly/4mwGngO
Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites.
Mozilla’s plans first came to light in a public discussion that started earlier this month, which noted that there have been statements from IETF, IAB, W3C, and the U.S. Government calling for universal use of encryption. Still, that was just a discussion.
Today, Mozilla has declared war on HTTP.