Late last week Mozilla wrote about a proposal to begin the deprecation of the HTTP protocol (mainly used to display websites in your web browser) in favor of HTTPS on its Security Blog. While I agree with the overall principle of increasing security, providing integrity of the information that websites contain and ensuring the website that a person is viewing is the website they think it is (it’s not a fake/impersonation); I don’t believe enforcing HTTPS at this time (or in the very near future) is the correct decision.
While HTTPS offers the benefits mentioned above it’s not immune to fake certificates being issued and only later being found to be fake and thus requiring them to be revoked e.g. the breach of the Certificate Authority (CA) DigiNotar in 2011 and the accidental issuing of 2 subordinate certificates by another CA TurkTrust (that was announced in 2013). The delay associated with the revocation of intermediate certificates led Mozilla to introduce OneCRL in Firefox 37.
In order to provide users with a warning if a certificate has been tampered with when they visit a website, e.g. Google Chrome, Mozilla Firefox, Opera, Apple Safari (unconfirmed) and Internet Explorer (if EMET 4.0 or later is installed) will display a warning alerting you to the fact that the certificate does not appear to be legitimate. This is due to a feature known as Certificate Pinning.
Certificate pinning is a stored (usually on your computer) white (allowed) list of certificates that are known to be genuine and it referred to when visiting a website. Thus if you visit https:/www.contoso.com (intentionally malformed) and the certificate differs from the one stored in your allowed list, it’s possible the website you are actually looking at is not the real contoso.com This assumes your allowed list is kept up to date since if a certificate naturally expires, its replacement would not appear legitimate if your allowed list is out of date. Further resources that discuss certificate pinning are the following:
While a new Certificate Authority (CA) Let’s Encrypt initiative (due to launch in the second quarter of 2015) will offer free certificates to allow sites to use HTTPS more widely, they are the most basic domain validated (DV) certificates which are not suitable for all purposes e.g. if you are operating a lot of websites which that share a subdomain e.g. accounts.contoso.com and store.contoso.com would both need separate certificates from Let’s Encrypt which begins to enter the area of certificate management, the very issue Let’s Encrypt is intended to address/remove.
If Let’s Encrypt suffers a significant security breach or if the certificates it issues are misused, there could be the possibility of their certificates being removed from browser trust stores. This happened with a Chinese CA, CNNIC in April this year when Mozilla and Google removed it from both of their trust stores.
Let’s Encrypt comes with drawbacks, the main drawback being that since DV certificates can be issued to anyone who is using a domain and that person does not have to prove who they are (the main issue of trust/authenticity that a certificate is intended to provide/address). Further discussion on the drawbacks of Let’s Encrypt is available at this link.
This is a complex and controversial subject and while I wish to remain objective I do think the IETF’s direction/proposals are more correct than Mozilla’s. Indeed while Google prefers HTTPS within its search rankings, it doesn’t require it. Thus for Mozilla to provide less features for non HTTPS sites I believe is the wrong decision since HTTPS is a not an ideal solution. I agree it’s a big improvement over HTTP but until the issues above have better solutions it would be incorrect to deprecate HTTP. Mozilla has since updated their blog post with a useful FAQ document (PDF) which mentions that they accept that HTTPS is not perfect as well as being more understanding to the issues this proposal brings with it.