Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Mozilla to whack HTTP sites with feature-ban stick

Reefa

By Reefa
in Security & Privacy News

Recommended Posts

Reefa

Reefa

Posted
Posted

Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS.

Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a "message" to developers that their web properties need to be secured, regardless of content served.

Precisely which features could be held back are subject to debate, Mozilla security chief Richard Barnes says.

"For example, one definition of 'new' [features] could be 'features that cannot be polyfilled'," Barnes says in a post.

"That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own but it would still restrict qualitatively new features, such as access to new hardware capabilities.

"Removing features from the non-secure web will likely cause some sites to break so we will have to monitor the degree of breakage and balance it with the security benefit."

Mozilla, whose Firefox is used by a quarter of net surfers, says [PDF] existing features may be revoked but not before developers receive prior notice.

The group has not yet set a date for when the "feature ban" will come into effect, but will submit proposals to the W3C WebAppSec Working Group 'soon'.

It may begin with a softer slap for insecure sites - for example, by limiting the abilities of features rather than an outright block.

Barnes says sites some HTTP content will be okay thanks to security features like HSTS.

"It should be noted that this plan still allows for usage of the HTTP URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the HTTP scheme can be automatically translated to HTTPS by the browser, and thus run securely."

theregister.co.uk

Link to comment
Share on other sites
  • Replies 1
  • Views 1.1k
  • Created
  • Last Reply
CODYQX4

CODYQX4

Posted
Posted

As much as I want HTTPS Everywhere, who the hell is going to foot the bill for all these damn certs?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...