Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Firefox-shop breaks out the big stick

Firefox shop Mozilla recently became the latest in the long line of companies big and small trying to push the web from HTTP to the more secure HTTPS protocol.

In the post-Snowden world, where everyone from the NSA, GCHQ to your ISP is inspecting and sometimes altering content, HTTPS (which makes such things nearly impossible) makes sense.

Let's make that doubly clear: moving to HTTPS is a good thing.

However, the timing and way in which Mozilla, and to a lesser degree Google, would like to rush the web into HTTPS is all wrong.

Like Google before it, Mozilla wants to encourage developers to deploy new sites using HTTPS. Unlike Google, which has thus far used only carrot-like methods to entice developers, Mozilla is bringing out the stick to beat the web into HTTPS.

Mozilla plans to depreciate HTTP by first making "new features... available only to secure websites". Then, at some point it will be "gradually phasing out access to browser features for non-secure websites". A site without HTTPS won't work with HTML5 features in Firefox.

Mozilla's plan, therefore, is to break the web for Firefox and hope that convinces developers to get on board with HTTPS. It doesn't seem to be concerned with the idea that users might just switch to a browser that actually works.

In some cases it makes sense to force the subject. The geolocation API should have been HTTPS-only from the beginning. Some existing HTML APIs, like Service Workers, are already HTTPS-only. All of which is to say, again, HTTPS is a good thing, but making it the only thing, as Mozilla proposes to do, is fraught with problems.

The first problem is that it means the web is no longer free as in beer. Obtaining an SSL certificate is not free. In a follow up FAQ statement (bizarrely, a PDF file) Mozilla does some hand waving about the question of HTTPS costs and contends that StartSSL offers free certificates.

That is technically true, you can obtain a certificate from StartSSL for zero dollars up front. But StartSSL charges to revoke certificates, even when those certificates turn out to be vulnerable to security threats like Heartbleed.

In other words, practically speaking, StartSSL is not free. If you can't revoke a certificate for free it isn't free. StartSSL is free in the same way that the first shot of heroin is always free. You'll be back and when you are you'll be paying for everything you do. StartSSL and others using the same pricing model know this, that's why they offer "free" certificates.

I run a number of HTTPS domains using certificates issued by StartSSL because there is no upfront cost. I do not, however, consider the service to be free. It also happens to be the most challenging thing I've ever tried set up on a web server in twenty years of running servers.

There are some efforts underway to create a service that's both trusted by browsers — so visitors don't get the scary message about "self-signed" certificates — and free. The most notable is Let's Encrypt, which Mozilla is a part of, but (while it sounds nice) Let's Encrypt is just vaporware.

The move to pure HTTPS has costs that Mozilla has not credibly shown can be overcome. The HTTPS-only web Mozilla is envisioning is one where only the rich are welcome.

Similar topics

TIP US OFF

Send us news


Other stories you might like