This blog post briefly outlines the risks of continuing to deliver websites over http instead of https in the next years. Obvious security benefits are put aside for now. Everything discussed in this post is probably 1-3 years away, so there is no need to panic. Still it’s good to know the direction we’re heading.
Browsers will mark non-secure origins as non-secure
Normally, when you visit a site that is served over https, in most browsers, a green lock symbol appears in the address bar, indicating that the page is served securely. This is going to be inverted, at least in Chrome. In the future, sites that are served over http instead of https, will be flagged as insecure. Eventually, once https is the norm, the green lock indicator will completely vanish.
Beginning with (nightly) version 44, Firefox flags websites as non-secure, when they contain a password input field. A measure taken to prevent users from submitting login data, because it might be compromised
New web apis are going to be https only
Some of the new web apis, especially those that are considered powerful (e.g. have access to sensitive data), are going to only be available on pages served over https.
- Service Workers
- background tasks
- push notifications
- new cache abilities
- App install banners (due to service worker being needed)
The new compression algorithm brotli, which is said to have a better compression results than gzip, will only work on HTTPS connections in Chrome and Firefox.
Existing web apis will stop working non secure
Not only will new features be available for secure origins only, there are also discussions in place about removing currently available apis as well. Those include:
- access to microphone / camera
- full screen
- (session) storage
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins https://sites.google.com/a/chromium.org/dev/Home/chromium-security/prefer-secure-origins-for-powerful-new-features http://www.w3.org/TR/powerful-features/#feature-requires-privilege https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Deprecation is already in process
Using the geolocation api on a non-secure origin already utters a deprecation warning in recent Chrome versions.