On the last day of April, Mozilla announced that they intend to phase out (deprecate) non-secure HTTP, in favor of encrypted HTTPS, when communicating with websites.
In their published roadmap of intent, they haven’t provided dates or a timeframe for when this will happen, but they have indicated that, in the beginning, certain new features will only be available for HTTPS websites, although they also have not specified which features this would apply to. Additionally, as transitioning all websites to HTTPS is a long process, unencrypted websites will still work for months or even years to come using the Firefox browser, and with other Mozilla products.
As most people in the industry know, adding HTTPS to a website requires an SSL certificate, but this doesn’t mean a much higher cost, as Firefox will still accept certificates from several free certificate providers, such as StartSSL (based in Israel), WoSign (based in China), and, starting in mid-2015, California-based Let’s Encrypt. Mozilla is one of the major sponsors of the latter, together with Cisco, Akamai, Electronic Frontier Foundation (EFF), Automattic (creators of the WordPress blogging platform), and SSL provider IdenTrust. Some web platforms are also capable of providing an SSL certificate for free (such as CloudFlare), and Mozilla have also provided a HTTPS configuration generator for those who run their own server. As with before, self-signed certificates may not work, given that the browser is unable to verify the authenticity of such certificates, but for development and staging purposes, the end user may still work around this by configuring their browser with the self-signed certificate in advance, or “click through the scary dialogue” (as the Firefox Security Lead, Richard Barnes, bluntly puts it in the FAQ attached to their announcement).
On most modern platforms, the performance cost of adding HTTPS encryption is low, and in version 2 versions of HTTP (the transmission protocol), Mozilla claims even higher performance with SSL, when compared to HTTP/1.1, which is the most common standard used by many websites in the last decade or so.
Although the Certificate Authority (CA) system has flaws, including misbehaving CAs, Mozilla does point out in their FAQ that, for the most part, it works. It would, however, require browser providers such as Mozilla (and others, if they follow suit) to give a higher priority to kick out any misbehaving certificate authorities, and respond to security news even faster than they do today.The main challenge would be home routers or printers that need to be managed with web-based access, since these devices, and similar devices on a home network, are not provisioned with a certificate, even though most devices are certainly capable of HTTPS. However, given the gradual nature of Mozilla’s plan for phasing out non-secure HTTP, they will have plenty of time to solve problems such as this. But, as indicated several times throughout their announcement, everything that works today will still continue to work for a while.