We're Deprecating HTTP And It's Going To Be Okay

published by Eric Mill on

Mozilla recently announced their intent to deprecate the insecure HTTP protocol in Firefox in favor of HTTPS (https://). In practice, they plan to do this by gradually removing the ability for HTTP websites to use various web features. They're joined by the Chrome security team, who declared something similar in December.

Mozilla's announcement has gotten a lot of attention, more than Chrome's, and much of it negative. There have been various laments, but the most sincere and helpful one is Ben Klemens' "HTTPS: the end of an era":

But the Mozilla foundation’s HTTPS requirement is, to me, the real end of the DIY era. This is not a closed-source corporation, or a startup pushing its new tool, or the arrogant guy at the hackathon, but the Mozilla Foundation — “Our mission is to promote openness, innovation & opportunity on the Web” — saying that if you are building web pages using tools from your desert island, without first filling in registration forms, then you are doing it wrong.

I understand the fear of raising the barriers to entry. As a child, I too fell in love with an internet made by everyone, and have spent my career, my volunteer work, and my hobbies trying to share what that love has taught me. I want children everywhere in the world to grow up feeling like the internet that permeates their lives is also in their service -- a lego set in real life that you can buy with a week's allowance.

Yet as an adult, I also understand that power for ordinary people is hard to come by and hard to keep. The path of least resistance for human society is for money to buy more money, and might to demand more might. Democracy is designed not so much to expand freedom as it is to give people tools to desperately hold onto the freedom they have.

Put another way: power has a way of flowing away from the varied, strange, beautiful little leaf nodes on the outer edges and into the unaccountable, unimaginative, ever-hungry center.

Image source: Melonie Richey

TCP/IP, DNS, and the web were each tremendous reversals of this trend, freely giving the means of production to all of us little leafs. It felt like the powers that be just didn't realize what was happening until it was too late.

But when I look at the last few years, I see a very different web than the one I was introduced to:

  • Verizon injects tracking headers into unencrypted traffic so they can sell your browsing activity to advertisers. This program started in 2012, after Verizon realized they "had a latent asset", but wasn't noticed until 2014.
  • Other companies like Turn piggyback on Verizon's tracking header to sell your data to even more people, because they "are trying to use the most persistent identifier that we can in order to do what we do", says Turn's chief privacy officer.
  • Comcast injects ads into unencrypted traffic, because "it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast".
  • Andreas Gal (Mozilla's CTO, in his personal capacity) has claimed that Yahoo and Bing "can acquire search traffic by working with large Internet Service providers" to harvest users' Google search results to improve their own -- and strongly implies that they used to do this before Google shut them out through encryption. Even if you support better competition against Google, I doubt you expected your ISP to make deals to sell your traffic to other corporations without your knowledge.
  • The nation of India tried and failed to ban all of GitHub. HTTPS meant they couldn't censor individual pages, and GitHub is too important to India's tech sector for them to ban the whole thing.
  • The nation of China weaponized the browsers of users all over the world to attack GitHub for hosting anti-censorship materials (since like India, they can't block only individual pages) by rewriting Baidu's unencrypted JavaScript files in flight.

And then there's government surveillance. Still here, still real, and not getting better:

When I look at all these things, I see companies and governments asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to "interpret censorship as damage".

In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.

What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.

As problematic as the certificate authority (CA) system that underlies HTTPS may be, its relative centralization allows for one of the very few systems of encryption available today that Just Works for regular people. In many ways, it's no different than registering a domain: you pay a nominal fee to a usually for-profit organization to participate in a mostly centralized system.

Richard Barnes, the author of Mozilla's HTTP deprecation announcement and policy, responded to Ben, saying:

As I've said in some other threads on this topic, I'm under no illusion that HTTPS or the CA system is perfect. But to quote the great sage Mr. Rumsfeld, "you go to war with the army you have, not the army you might want or wish to have at a later time." Our long experience with HTTPS shows that it’s strong enough to carry the web, and it looks like its weaknesses can be patched. Which is enough, at least for me, to get the movement started.

Starting that movement doesn't happen in a vacuum. Chrome is there, the IETF and W3C TAG are there -- even the ad industry is getting there, with the news media right behind them. That kind of movement can become self-fulfilling, motivating more people and work than anyone thought possible at the start.

Many have said that HTTPS configuration and the CA system need to become painless before we can make it the new standard. However, this has cause and effect backwards: the only way to motivate the investment and market demand necessary to make HTTPS free, easy, and everywhere is to first make it part of the baseline, like DNS is today.

The transition to HTTPS won't be painless, but it is necessary, and it's already getting easier every year. The web will evolve, and when it does we'll have pushed some of its power back out of the center and into its edges for another generation to wield, love, and defend.

If you're really concerned about keeping the internet a place for everyone, look at what's happening right now with DNS and ICANN, as the US government attempts to voluntarily relinquish control over IANA responsibilities. There's even a recent House committee hearing on the subject.

I can't recommend highly enough this outstanding explanation of the IANA transition (PDF), by Danielle Kehl and David Post at the Open Technology Institute, for understanding the history and politics of ICANN.

  1. Phil

    While we're at it, we should remove all physical border controls - just because some people smuggle drugs, weapons, explosives, organs, child pornography, or travel for terrorism doesn't mean anyone should have to prove their identity or have their luggage go through x-ray when travelling internationally.

    Surveillance should be left in the hands of private, non governmental bodies like search engines, webmail providers, social media platforms who we can implicitly trust to only harvest information for targeted advertising.

    (Fot the dim-witted, this is meant sarcastically)

  2. Ben Bucksch

    You seem to say: 'OK, so HTTPS takes power away from the little man and centralizes power. BUT that's OK, because it's always been like that and it's inevitable. The web isn't what it used to anymore anyways, so who cares. Let's just accept that we lost control.'

    Not a strong argument.

    Remember that TLS was designed at a time when all crypto from Netscape had to be approved - in detail, design and code - by the US government. TLS is unnecessarily and deliberately centralized and puts trust in the center over mutual trust between parties. Because that's what it was designed to do. And now it's promoted as solution against government surveillance. I can see them smile. What an irony.

    TLS was designed to protect credit card numbers. Nothing more. It was explicitly stated that it cannot protect anything that cannot be valued with less than 1 million $ (if you have doubts, check you CA's contract). It was never designed to protect privacy or other human rights, just your Amazon book order.

    TLS is simply the wrong solution to the problem.

  3. Ross Dakin

    Chrome's well-worded summary of the impetus is worth reiterating:

    People do not generally perceive the absence of a warning sign.

    (https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure)

  4. Rayed

    How about if we adopt new HTTPS extension similar to SNI to include the resource name (URI Path), this way we can still encrypt the user data and give the network operators control over unlawful content! http://en.wikipedia.org/wiki/Server_Name_Indication

  5. Joe

    Well, so much for using Chrome or Firefox anymore. As much as a hate it, I'll be switching to Microsofts new browser if it doesn't do the same thing.

  6. Dave Winer

    This is a compelling argument in favor of improving the security of the web where it is needed, much better than anything that's come out of Mozilla, which seems more to be about their power, and not any real argument for why it might be needed. But please, it hardly seems a good trade, throw away all the independent content on the net, and all the history, to get some security that you can get other ways, without the cost.

    I think people who need clear access to the Internet without govt intervention already know how to do it. VPN and TOR are good solutions, no?

  7. crosser

    Please, introduce DANE support first, deprecate unencrypted http after that! Otherwise, you are just feeding useless CAs.

  8. TesX

    Well, https://letsencrypt.org to the rescue!

  9. Rahul Ghose

    This looks fine and is obviously the "right" thing to do. However, this will cause major headaches to many programmers round the world. Think about all automation breaking and many scripts which run only on HTTP will break. Bad news for hackers.

  10. Chris Melikian

    This is such a bad idea and will mean people who don't need encryption will suffer because a few people in power (Mozilla Foundation) say so. A header on the screen inserted by the Firefox browser into all insecure pages would have sufficed.

  11. cym13

    Ok, let's compare pros and cons:

    Pros:

    • More traffic is encrypted making it more difficult to spy on global traffic
    • Some MITM attacks are made more difficult which is good

    Cons:

    • Doesn't really block many MITM attacks as most people just ignore invalid certificates
    • Doesn't block governments as CA are known to give valid certificates to some in order for them to look on their citizens
    • Each and every request will involve a request to a third party with the domain name available. This isn't just dangerous for privacy, there are lifes at stake.
    • The entry barrier on the web keeps getting higher, making it more difficult for non-corporate to develop.
    • More power is given to a small number of companies with evident economic intererest. Free certificates are only free as long as they don't want to collect their money.

    To me, this is clearly a very bad idea.

    Mozilla showed with its Hello project that it was considering being more than just a web browser, I think they should try to use this to build an alternative to CAs. A global P2P network between mozillians to act as a Web of Trust for example. Or at the very least a scheme to protect the privacy of people making requests to CAs (dinner of the cryptographs?).

    There are opportunities there, but centralizing the internet into the hands of companies that are known to be not as trustworthy as they should be is nothing but a bad idea.

  12. bassie

    Self-signed certs with DANE verification seem to be a viable solution for the DIY issue. So Firefox and other browsers need to build in support for DANE. Website owners who want additional trust still can use a CA signed certificate.

  13. David

    I'd love to move to full https, but certs with wildcard subdomains usually cost a thousand USD a year, and I'm in a country where our currency is worth little, so for example, a regular full-time wage is 400-500 USD. If Mozilla goes through with the "HTTPS certs for everyone" service, this would not be a problem. As it is now, it is a problem (cost of certs)

  14. open_your_eyes

    It's all open source. If we really want to see browser(s) continue to support HTTP, all it takes is a fork (...and a lot of energy.)

  15. this_is_the_end

    I have been using Firefox for a long time.

    Now they wish to ban HTTP.

    I do not agree with this.

    But I have no alternative either.

    That is unfortunate. I was a staunch supporter of Firefox and now they are killing it off.

    None of your reasons apply because, why should anyone care what dictatorships do? Why do we have to lower our standards, and default to HTTPS while deprecating non-HTTPS?

  16. Matt Freeman

    This is great, excellent news for consumers, unfortunately though corporations (where workstation build are automated so a cert can be stuck in an windows GPO or custom rolled rpm/deb) are fighting this by increasingly introducing [comically poorly implemented] deep packet SSL proxy/firewalls, unrolling end to end security and performing a nasty MITM, of course implemented by non-crypto experts. For win for most, though not everyone.

  17. Keith

    Encryption makes sense for a lot of traffic, but not all of it. Just because some companies and countries screw up doesn't mean we need to mess up the Internet. We can pass laws or whatever to stop them.

    You are trying to fix a political problem with the wrong technical solution.

    Take my website, as an example. It is filled with blog postings and a link to a free download of my book and other content I link to or give away. Why would I bother to encrypt it?

    I realize Mozilla spent a lot of time implementing DRM into the latest Firefox, but there is still a lot of free content out there where encryption isn't warranted.

    BTW, I never will encrypt my site. You may be earnest in your idea today, but the idea that Firefox will actually quit supporting HTTP is silly. It would drop down even farther from the current position of 10%.

    I suggest you read the comments in this article: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

    They point out many things: how it screws up caching, makes the web more expensive, that Mozilla is becoming a dictatorial nanny, how this should be an option that a computer’s administrator decides on, etc., etc.

  18. Jason Sturges

    Perhaps you're referencing Google's "HTTPS as a ranking signal": http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html

    Along with references from Google I/O 2014 - HTTPS Everywhere: https://youtu.be/cBhZ6S0PFCY

  19. Jason Sturges

    What is the source reference of your citation that Google's security team declared something similar, when you state:

    "They're joined by the Chrome security team, which declared something similar in December"