Mozilla to whack HTTP sites with feature-ban stick

Insecure sites relegated to Firefox Stone Age

Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS.

Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a "message" to developers that their web properties need to be secured, regardless of content served.

Precisely which features could be held back are subject to debate, Mozilla security chief Richard Barnes says.

"For example, one definition of 'new' [features] could be 'features that cannot be polyfilled'," Barnes says in a post.

"That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own but it would still restrict qualitatively new features, such as access to new hardware capabilities.

"Removing features from the non-secure web will likely cause some sites to break so we will have to monitor the degree of breakage and balance it with the security benefit."

Mozilla, whose Firefox is used by a quarter of net surfers, says [PDF] existing features may be revoked but not before developers receive prior notice.

The group has not yet set a date for when the "feature ban" will come into effect, but will submit proposals to the W3C WebAppSec Working Group 'soon'.

It may begin with a softer slap for insecure sites - for example, by limiting the abilities of features rather than an outright block.

Barnes says sites some HTTP content will be okay thanks to security features like HSTS.

"It should be noted that this plan still allows for usage of the HTTP URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the HTTP scheme can be automatically translated to HTTPS by the browser, and thus run securely." ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019