Lack of Encryption, Authentication Led to HTTP Deprecation

In December of 2014, Google announced that they would be deprecating HTTP in future versions of Chrome. In April of this year, Mozilla announced they would do the same with Firefox. As major influencers in Internet security, Google and Mozilla have set the standard for all browsers to update their protocols and improve web security.

Vulnerabilities with HTTP

Two major deficiencies exist in HTTP: 1) a lack of encryption and 2) a lack of authentication. User privacy can easily be violated over HTTP connections as HTTP is a plaintext protocol which was never intended to keep data private.

Observers of HTTP traffic, like ISPs or malicious actors, can insert unauthorized ads or track users’ Internet browsing. Third-parties have even weaponized HTTP traffic by injecting malicious data or scripts without users knowing anything is different, as in the case of China’s Great Cannon.

HTTPS, the improved and secure protocol, encrypts the data being sent between you and the sites you visit, preventing bystanders from easily changing the data. Some types of certificates also provide higher levels of assurance to help visitors distinguish between legitimate sites and spoofed ones. More widespread use of HTTPS will help create a safer Internet.

What this Means for HTTP

HTTP deprecation does not mean that HTTP will cease to exist. HTTP sites will still be accessible to those who use either Chrome or Firefox, however, there will likely be changes to the visual security indicators for those sites.

In both browsers, the visual indicators may show that HTTP sites are not secure. Viewers will still be able to visit HTTP sites, but they will do so after receiving fair warning that the site is not secure. Future web-programming technologies may also be limited to only secure websites. Sites implementing new features over HTTP would not work properly in Firefox once the deprecation has actually taken place.

Google HTTP Deprecation

Google’s proposal calls for suggestions from the web community. Google suggests they may deprecate HTTP similar to the way SHA-1 is being deprecated, using a gradual “phase-out” timetable. As the deprecation date gets closer, visual indicators for HTTP sites would become more severe.

Mozilla HTTP Deprecation

Mozilla’s plan includes four phases. In the first stage, Mozilla and the web community will define what “privileged contexts” will be required for new features. The next stage will actually set a date for requiring privileged contexts for new features. Mozilla will then declare that privileged contexts be required for existing features. The last stage will hopefully see the entirety of Internet traffic secured.

A Step in the Right Direction

As major stakeholders in the continued growth of the Internet, Google and Mozilla recognize the importance of pushing the expanded use of HTTPS forward, and their announcements to deprecate HTTP are a step in the right direction to creating a more secure web.

Posted in Announcements, Browser, Encryption, Uncategorized