HTTP is officially deprecated. SSL is DEAD.
Aractus
Just in case anyone’s confused by the title – SSL is dead, its successor is TLS and that’s what people really mean when they say SSL now (we still call security certificates SSL certificates).
In the latest Firefox update Mozilla quietly put into action the first step in their plan to phase out HTTP. What am I talking about?
Well this is how my blog is displayed in Firefox:
Notice the Green HTTPS Padlock to the left of the URL. This is how an insecure website looked before the 51.0 update was installed:
Notice that “Connection Not Secure” appears in red. Well that’s how it still looks, but on any page that has a user-name and password input you will see this:
This is the first time the insecure padlock has been used to mark HTTP pages. You can see this in action on just about any insecure forum on the internet.
Google is implementing the policy as well, this is how a secure page now looks as of earlier this month:
Notice that to the right of the padlock is the word “Secure”, whereas until earlier this month there was just the padlock. At the moment insecure sites in Chrome look like this:
The icon is a “neutral” information icon at present. However it does already display a direct warning in the information panel. This is how it will look soon:
And still later on the “neutral” information icon will be changed to a warning icon:
As mentioned though, Firofox already displays the warning icon. Mozilla and Google are intentionally staggering their implementation of this policy in order to ensure webmasters and hosts alike have a transition period, and also I imagine so they don’t put Let’s Encrypt under impossible pressure. On that note it’s worth saying that Let’s Encrypt over the past one year has become the largest CA by far, and their continued success will be very important to ensure that people have access to free security certificates.
As you can see, phasing out the HTTP protocol is the policy of Google and Mozilla, so I highly suggest all webmasters start securing their websites. At the moment they are targeting insecure pages with logins, however the eventual treatment will be to mark all HTTP pages on the internet as insecure. Further information on these policies can be found here:
- https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
- https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
- https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Honourable mention: When I discovered this policy earlier this month, I happened to see completely by chance that the EST Hosting site’s SSL cert had expired (by about 4 hours at the time). I had a giggle about that and put it into the Whirlpool thread I made. As a courtesy I sent EST an email, and got a response back from the director Eddie who said their main concern was their clients websites, but they were actually working on enabling automated Let’s Encrypt certs for their clients. Eddie sent me another email today letting me know the implementation was complete (he also made a comment on the Whirlpool thread). It’s really great to see proactive webhosts like that who are enabling TLS, SNI, and free automated certificates from Let’s Encrypt for their client’s websites.