The Online Groups Setting the Stage for a More Secure Web
Last week, the makers of the popular Firefox browser announced they would begin favoring websites that use the secure HTTPS protocol, which would fundamentally change the way the web works. But the Mozilla Foundation is taking a step that some of the internet's most fundamental associations have long been calling for.
Someday, the internet could have two roads, one less useful than the other.
No, this isn’t a rehash of the net neutrality debate, which has started to move into the court system, but one where the browsers themselves set the paths. And the result could become better for the end user.
The Mozilla Foundation, the nonprofit group that runs and manages the popular Firefox browser, laid out this new direction for the internet’s future last week by announcing an audacious goal to eventually deprecate the common HTTP protocol, which most websites use, in favor of the more secure HTTPS protocol, which tends to be used mostly on login screens and checkout forms.
Its solution for doing this? Basically Firefox would stop making new browser features available for HTTP, with the idea that it would eventually require website owners to make their sites secure. And over time, it would even remove some existing features from HTTP sites.
“Removing features from the non-secure web will likely cause some sites to break,” the browser’s security lead, Richard Barnes, explained in a blog post. “So we will have to monitor the degree of breakage and balance it with the security benefit.”
The move, while backed widely within Mozilla’s own organization and in the technical community at large, proved extremely controversial with end users—one commenter said the announcement would “go down in history as the day that the World Wide Web died.”
That may be a little over the top, but it nonetheless draws a line in the sand from the way we’ve treated internet access in the past. Many of the internet’s largest platforms—Google, Twitter, Facebook—already push users onto the HTTPS platform by default. Your bank has done the same for years, as have many platforms that deal with sensitive data.
Now, following the lead of Firefox, even websites with little access or interest in peering into user data, including traditional blogs, could find themselves being pushed toward securing end-user internet presences.
Firefox as Trailblazer
The Mozilla Foundation is famous for taking principled stances on internet technology issues, even at the cost of momentum and browser share.
For years, just as an example, it held a line in the sand against the prevailing online video codec H.264, which became very popular as a Flash replacement despite its reliance on proprietary technologies. (Being an open-source software maker, Mozilla leans heavily on non-proprietary technologies.) It only changed its mind last year, creating an open-source alternative to the video protocol.
On balance, however, Mozilla has done more for the internet’s greater good than not—most notably, proving that standards-based web browsers were significantly better for end users. And it’s also proved very adaptable to its end users’ needs and larger trends online.
Tech Groups: The Future Is HTTPS
Mozilla might be a little early with this move, but it is far from the only one making this particular argument. Earlier this year, the World Wide Web Consortium Technical Architecture Group (W3C TAG) argued that it’s increasingly become obvious that not enough of the web is being maintained on secure servers.
“In the past, Web sites have deployed HTTPS rarely; often, only when financial transactions take place,” noted W3C TAG editor Mark Nottingham. “More recently, however, it has become apparent that nearly all activity on the Web can be considered sensitive, since it now plays such a central role in everyday life.”
Even further, three major groups that manage the protocols that define the internet—the Internet Society (ISOC), the Internet Architecture Board (IAB), and the Internet Engineering Task Force (IETF)—have all recommended taking steps toward an HTTPS-only web.
“User trust is critical to the Internet’s continued growth and evolution,” ISOC wrote in November in response to an IAB recommendation that HTTPS be turned on by default online. “Realizing the IAB’s aspiration would drastically reduce the ability to eavesdrop or modify information sent over the Internet.”
And even the federal government has gotten into the game, with the Chief Information Officers Council recommending a move to HTTPS-only technology for federal agencies.
The Downsides Here
HTTPS isn’t perfect: Last month, reports surfaced of two separate bugs in a common HTTPS implementation that many iOS apps use. And that’s to say nothing about Heartbleed, which affected SSL, one of the underlying technologies that HTTPS relies on.
Many Firefox users noted that the situation had the potential to be inherently unfair to smaller hosts, which may now be on the hook to purchase security certificates for their websites as a result. Programmer and online activist Sven Slootweg noted that SSL and its successor, Transport Layer Security (TLS), had fundamental flaws.
“I do not believe that there is data that is ‘not important enough to encrypt,'” Slootweg explained. “I do however believe that there are fundamental problems with the way TLS is currently deployed in practice, problems that absolutely need solving before a forced global deployment of TLS can happen.”
(Mozilla debates this characterization, noting that free SSL providers exist [PDF].)
But if these issues are solved in the coming years, the result could be better for everyone. Because who doesn’t like more security?