In December of 2014, Google announced that they would be deprecating HTTP in future versions of Chrome. In April of this year, Mozilla announced they would do the same with Firefox. As major influencers in Internet security, Google and Mozilla have set the standard for all browsers to update their protocols and improve web security.
Vulnerabilities with HTTP
Two major deficiencies exist in HTTP: 1) a lack of encryption and 2) a lack of authentication. User privacy can easily be violated over HTTP connections as HTTP is a plaintext protocol which was never intended to keep data private.
Observers of HTTP traffic, like ISPs or malicious actors, can insert unauthorized ads or track users’ Internet browsing. Third-parties have even weaponized HTTP traffic by injecting malicious data or scripts without users knowing anything is different, as in the case of China’s Great Cannon.
HTTPS, the improved and secure protocol, encrypts the data being sent between you and the sites you visit, preventing bystanders from easily changing the data. Some types of certificates also provide higher levels of assurance to help visitors distinguish between legitimate sites and spoofed ones. More widespread use of HTTPS will help create a safer Internet.
What this Means for HTTP
HTTP deprecation does not mean that HTTP will cease to exist. HTTP sites will still be accessible to those who use either Chrome or Firefox, however, there will likely be changes to the visual security indicators for those sites.
In both browsers, the visual indicators may show that HTTP sites are not secure. Viewers will still be able to visit HTTP sites, but they will do so after receiving fair warning that the site is not secure. Future web-programming technologies may also be limited to only secure websites. Sites implementing new features over HTTP would not work properly in Firefox once the deprecation has actually taken place.
Google HTTP Deprecation
Google’s proposal calls for suggestions from the web community. Google suggests they may deprecate HTTP similar to the way SHA-1 is being deprecated, using a gradual “phase-out” timetable. As the deprecation date gets closer, visual indicators for HTTP sites would become more severe.
Mozilla HTTP Deprecation
Mozilla’s plan includes four phases. In the first stage, Mozilla and the web community will define what “privileged contexts” will be required for new features. The next stage will actually set a date for requiring privileged contexts for new features. Mozilla will then declare that privileged contexts be required for existing features. The last stage will hopefully see the entirety of Internet traffic secured.
A Step in the Right Direction
As major stakeholders in the continued growth of the Internet, Google and Mozilla recognize the importance of pushing the expanded use of HTTPS forward, and their announcements to deprecate HTTP are a step in the right direction to creating a more secure web.
FAQs
HTTP deprecation does not mean that HTTP will cease to exist. HTTP sites will still be accessible to those who use either Chrome or Firefox, however, there will likely be changes to the visual security indicators for those sites. In both browsers, the visual indicators may show that HTTP sites are not secure.
Why is basic HTTP authentication not secure enough? ›
HTTP basic authentication provides a basic level of security by requiring credentials for access. However, it has limitations: credentials are sent in a way that can be intercepted if not using HTTPS, and it lacks advanced security features like token-based authentication.
Is HTTPS encryption enough? ›
Trust is more than encryption
But while HTTPS does guarantee that your communication is private and encrypted, it doesn't guarantee that the site won't try to scam you. Because here's the thing: Any website can use HTTPS and encryption.
Why is HTTP not used anymore? ›
The most significant problem with HTTP is it uses hypertext structured text, so the data isn't encrypted. As a result, the data being transmitted between the two systems can be intercepted by cybercriminals.
Do any websites still use HTTP? ›
HTTP is the data transfer protocol used by almost every website since the early days of the Internet.
Why HTTP is not secure? ›
HTTP does not encrypt data during client-to-server communication, which means that any data transmitted over HTTP is sent in plain text without any encryption or security mechanisms. As a result, it can be intercepted and read by anyone with access to the network traffic, including cybercriminals.
How secure is HTTP authentication? ›
Security of basic authentication
As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication.
Why is OAuth better than basic authentication? ›
It's like choosing a secure, encrypted message over a shout across a crowded room. OAuth offers that essential layer of security and control, wrapping user credentials in a layer of armor that Basic Authentication simply can't match.
How do I know if HTTPS is encrypted? ›
To check an SSL certificate on any website, all you need to do is follow two simple steps.
- First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate.
- Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.
Both a VPN and HTTPS encrypt data; the difference between the two lies in how much data it encrypts. HTTPS only encrypts the data that travels between a browser and a website, while a VPN encrypts all data before it even leaves your device, including data on apps and websites that don't have HTTPS protection.
HTTP does not use encryption, which means that any information you send can be intercepted by someone else on the network. This is why using a secure connection is essential when sending sensitive information.
Is HTTP done over TCP? ›
HTTP therefore relies on the TCP standard, which is connection-based. Before a client and server can exchange an HTTP request/response pair, they must establish a TCP connection, a process which requires several round-trips.
Is HTTP 1.1 deprecated? ›
The first usable version of HTTP was created in 1997. Because it went through several stages of development, this first version of HTTP was called HTTP/1.1. This version is still in use on the web.
Why avoid HTTP? ›
If a website uses HTTP instead of HTTPS, all requests and responses can be read by anyone who is monitoring the session. Essentially, a malicious actor can just read the text in the request or the response and know exactly what information someone is asking for, sending, or receiving.
What is the alternative to HTTP protocol? ›
The alternative for HTTP protocol is HTTPS (Hypertext Transfer Protocol Secure). HTTPS is a secure version of HTTP that encrypts data transmitted between a user's browser and the website they are visiting, providing an added layer of security and privacy.
