Want fancy Firefox features? Secure your website !
In a bid to make the Web a safer place, Mozilla’s security team proposes making encrypted connections necessary for using new Web technologies. Google’s Chrome team has a similar idea.
Mozilla has a new idea to use its Firefox browser to protect the Web from problems like eavesdropping and website tampering.
The nonprofit organization, along with allies such as Google and the Electronic Frontier Foundation, want website communications to be encrypted so eavesdroppers can’t snoop on what you’re saying or alter websites to inject malware or ads.
On Monday, Mozilla Security team leader Richard Barnes proposed an incentive to push this move toward encryption: make the latest browser features work only if it’s enabled.
The move toward better encryption — that is, conversion into unreadable code that can be deciphered only by authorized parties — represents an arms race between browser makers and increasingly sophisticated malware developers. Only 45 percent of the Web’s top million sites offer encryption, according to a 2014 analysis, but browser makers hold a lot of power to change that. It’s hard to get the average person to embrace security measures like dual-factor authentication and passwords that are unique and complicated, but making the Web more secure by default helps people without them having do anything different.
And that would make it safer for all of us when shopping online, using chat apps or reading friends’ posts on social networks.
“If you want to use new things, you need to provide security,” Barnes said in a mailing list posting. The proposal “makes a clear statement to the Web community that the time for plaintext is over,” he said, referring to unencrypted data that’s more easily snooped and modified. A second phase of the plan would gradually modify existing Web features so they, too, would require the secure connections that new features demand.
Google floated a similar idea in February, suggesting that encryption be required for delivering copy-protected video to a browser or letting a Web app use a PC or phone’s camera.
But by raising a similar idea for another major browser, the Mozilla proposal adds significant new muscle to the movement to encrypt Internet communications by default.
Leverage for encryption
Mozilla’s idea has power because programmers are embracing new technologies that transform the Web from a place to publish static documents into a foundation for interactive apps for communication, work and entertainment. The Web is steadily advancing in sophistication with new features like accelerated 3D graphics for games, built-in technology for video and audio chat, and standards to let Web-based applications work even when there’s no network connection.
But the Firefox maker hasn’t yet decided to implement the security change. “The goal of this thread is to determine whether there is support in the Mozilla community for a plan of this general form,” Barnes said. A precise plan will require work with website operators, other browser makers, and likely the World Wide Web Consortium, which marshals involvement from dozens of companies and organizations to develop Web standards.
Technology standards groups that collectively chart a lot of the Internet’s future have begun pushing for encryption, too. That includes the Internet Engineering Task Force (IETF), Internet Architecture Board (IAB) and World Wide Web Consortium (W3C).
“The Web’s trustworthiness has become critical to its success,” the W3C’s Technical Architecture Group concluded in January. “If a person cannot trust that they are communicating with the party they intend, they can’t use the Web to shop safely; if they cannot be assured that Web-delivered news isn’t modified in transit, they won’t trust it as much. If someone cannot be assured that they’re talking only to the intended recipients, they might avoid social networking.”
Websites are delivered to browsers using two options: unencrypted HTTP (Hypertext Transfer Protocol) and the secure, encrypted HTTPS variation. (You’ll see those designations at the start of a Web address, such as https://www.facebook.com/.) Encryption on the Web scrambles data sent over the network using a technology called Transport Layer Security (TLS), a successor to the earlier Secure Socket Layer (SSL).
Several tech companies and organizations have been pushing for broader HTTPS use, but the movement picked up a new sense of urgency after former leaks from NSA contractor Edward Snowden revealed details of active government surveillance efforts.
Major Internet sites like Google, Yahoo, Twitter, Facebook and Microsoft have been shifting toward HTTPS by default, but much of the Web has yet to make the jump. It can be more expensive to deliver HTTPS Web pages, in particular for Web site operators that contract with content delivery network (CDN) companies to help disseminate Web data across the whole world.
In January, Google revealed a different option to discourage HTTP: add a warning to the Chrome browser that labels HTTP sites as “insecure.” The company lets people test the feature but hasn’t enabled it by default.
The US government — at least those outside the National Security Agency — are on board, too. One goal of the federal government’s chief information officer: “All publicly accessible Federal websites and Web services only provide service over a secure connection.” The White House Web site is encrypted, but the US Senate and House of Representatives sites are not.
Politicians are mixed, too. Among declared presidential candidates, Hillary Clinton uses HTTPS but Rand Paul and Ted Cruz do not.