Deprecating Non-Secure HTTP

Last Thursday April 30th 2015 Mozilla announced their intent to phase out non-secure HTTP. As Snowden revealed non-secure HTTP is easily be wiretapped. Intelligence agencies are doing this around the world and such pervasive monitoring must be considered an attack to privacy. Even worse cleartext HTTP may be used by attackers which in a man in the middle position to insert advertisements or malicous code. So it seems logical to reduce plain-text HTTP usage. This already started in that HTTP2 is only supported over TLS secured connections.

Content providers and users have unequal power in such a secured world.

In Germany most of the free-to-air tv stations also offer their program in a HD version. However this is done only encrypted. To view the encrypted streams it is necessary to pay a "service" fee. How can a similar thing be done for the web? For example the big content- and internet-provider may choose to deploy a secure proxy transmitting the unsecure web content to the browser through a TLS connection to the browser. For this service they then can charge a service fee. Hope such a thing will never happen.

Some companies are already providing solutions to circumvent Mozillas step. For example CloudFlare has a solution to encrypt content which they retrieved non secured from the web server. What is needed is a way for users to keep control and to TLS secure the connections. One way may be to require the whole content of a page to come from the same server. Another way may be to allow users to specify trusted proxies. Such a proxy could for example run within the home router and provide services like virus scanning to all devices in the home. With the IoT this may be in the near future not only PCs, laptops, tablets, mobile phones, playstations, gameboys, blue ray players, TV sets but also many more devices including the infamous refrigerator. A central place to apply policies seems to be easier to maintain than to secure each and every device.