Affecting Insecure HTTP will be deprecated

Published: | Categories: Networking, Privacy & Security

Description

There is a broad industrial agreement that Internet connections should always be encrypted. The new Service Worker API requires HTTPS from the first. As per Mozilla developers’ proposal, several functionalities that need user permission, including the Geolocation, Notification, Fullscreen, Pointer Lock and Media Stream APIs, may also require HTTPS later.

Another proposal is to treat non-HTTPS cookies as session cookies, which could encourage ad networks and publishers to move to HTTPS.

Although there is no solid timeline yet, the deprecation of insecure HTTP will happen in the not-so-distant future. Web publishers are strongly recommended to develop a plan to migrate to HTTPS as soon as possible. To make transitions easier, Let’s Encrypt, a new certificate authority run by Mozilla and others, gives everyone a trusted certificate for free starting from November 2015.

We will update this document based on the most recent status.

Update: As of Firefox 55, Use of Geolocation API is now limited to secure sites.

Update 2: In January 2018, Mozilla announced their intent to require HTTPS for all new features plus some existing features. Starting with Firefox 60, WebVR can no longer be used on insecure sites.

References