Mozilla, the non-profit foundation behind the Firefox web browser, announced last week that Firefox will stop supporting web pages that use non-secure web connections at some point in the future.
What this means for people who use the web is that web sites that don’t use an encrypted connection (https rather than http) will produce warnings in Firefox and those websites won’t be able to use certain features of HTML5.
This is really big and controversial news. Secure web pages have traditionally been used anywhere that sensitive data is transferred over the web: such as in eCommerce applications. In the interest of protecting private user data, some larger websites, like Google, Facebook, and Twitter, have made the transition to 100% secure connections. The vast majority of websites still only use encryption where it’s required.
Why It’s Controversial
If implemented today, Mozilla’s decision would make the web much more secure, but it would also break most web sites and raise the cost and skill-level necessary for anyone to publish a website.
Alternatively (and more likely), some other browser makers wouldn’t buy into Mozilla’s solution, and the change would result in Firefox’s share of the browser market plummeting as people seek out browsers that will display websites correctly.
Clearly, Mozilla isn’t going to be able to stop supporting un-encrypted web pages on their own, or any time in the very near future. As a long-term goal, however, requiring encryption does make sense once it’s made more simple and affordable.
What’s Involved with SSL?
Secure websites use a protocol called SSL to encrypt data as it’s transferred from the web server to the user’s web browser. Once the encrypted data arrives on a user’s browser, the browser can decrypt the data, provided that the server is able to verify that the web site is from where it says it’s from. In order to verify authenticity, the server has to have a certificate issued by a trusted third party. This is where encryption can get expensive. Depending on where you buy your SSL certificate, it can cost anywhere from a few dollars to hundreds of dollars per year. Presumably, more expensive certificates are more trusted or trustworthy.
The process for obtaining an SSL certificate can take several days, and requires the creation of of public and private key pairs, the generation of a Certificate Signing Request (CSR), and installation of a new certificate and interim certificates every year. In other words, it’s a hassle that’s beyond the skill level of most web developers, not to mention most people who just want to put up a web site.
Would Mozilla Destroy Net Neutrality?
One of the core ideas of the web has always been net neutrality — the idea that everyone has equal access to the web. If implemented without a good and universal solution to the problems and complications of SSL, universal browser requirements for encryption could split the web into the usable, secure, sites and the possibly unusable “non-secure” sites. No one wants this, but at the same time, no one wants to continue to have identity theft crimes and the other types of hacks that result from insecure web pages continue.
We don’t know what the answer is, but we’re thankful that Mozilla has forced the discussion.