Mozilla's official blog in 2015.4.30 formally announced the elimination of the HTTP program.
These include: Setting a date, all new features will only be available to HTTPS sites, HTTP sites will be progressively blocked from accessing browser features, especially those related to user security and privacy. Mozilla's move is to send a message to the web developer community that they need to ensure the security of the site, and that only the entire web community and browser developers can join together to eliminate HTTP.
Mozilla plans to submit proposals to the WEBAPPSEC Working Group shortly thereafter.
For this strategy, there are different points of view, summed up the following points:
1, SSL certificate needs to spend money
2, public non-sensitive content does not require encryption
3. Encryption will slow down the website and degrade performance
4, SSL certificate itself is not invulnerable (such as CA can issue fake certificate)
The above points are not true
1, SSL certificate 0 is now becoming cheap, for individuals or start-up teams, you can also apply for a free certificate. The current SSL Digital certificate Web page can provide a global trusted certificate as low as hundred yuan.
2, GitHub is a man-in-the-middle attack proves that the potential harm of unencrypted network is very large.
3, hardware level Growth and algorithm optimization (such as chacha20_poly1305), encryption overhead is increasingly within the acceptable range.
4, SSL-related vulnerabilities now have a solution, for example, in order to combat false certificate risk, we have public key pinning. and the risk of false certificate to the CA is too large, easy to believe that users buy SSL certificate, do not choose cheap or free SSL certificate.
Mozilla new features only support HTTPS website, again promote SSL certificate popularization