clock menu more-arrow no yes mobile

Filed under:

Firefox has an audacious plan to pressure websites to use encryption

John Slater

You might not have noticed, but many of the websites you visit have a big security flaw. Anything you upload or download can be intercepted by anyone who's listening in on your internet connection. And in today's wireless world, that can be a lot of people: your nosy neighbor, the guy sitting next to you at the coffee shop, or a foreign intelligence agency.

Luckily, technologists have come up with a solution to this problem. In fact, they invented the solution in 1995. It's an encryption technology called SSLUnfortunately, the people who run websites have been dragging their feet on using it.

In the early years, there were good reasons for this. Encryption requires extra computing power, and servers in the 1990s didn't have much to spare. So the technology was only used by sites that really needed it — primarily banks and e-commerce companies accepting credit card payments.

But today's servers are a lot faster. Google estimates that using SSL encryption only increases the load on its servers by about 1 percent. So a lack of computing power isn't a good excuse for not using SSL. A lot more websites use the technology today than did a decade ago. Yet there are still a lot of websites that don't use it.

This is why a new announcement from Mozilla is such a big deal. The nonprofit company behind the popular Firefox web browser has decided that the lack of SSL will be treated as a security flaw.

Mozilla is planning to back this determination up with some concrete actions — in the future, non-SSL websites won't have access to security-sensitive features such as your camera.

But the move is also significant from a rhetorical point of view. Until now, SSL has generally been seen as an optional feature — something that's nice to have but not essential if you're not running a bank or e-commerce site. Mozilla is hoping to change the conversation, describing sites that don't support SSL as defective.

This shift in terminology could help IT guys convince their bosses that this is an issue worth taking seriously. It's one thing to say, "Hey, boss, I'd like to spend the next couple of weeks adding a new feature to our site that will make it more secure." It's another thing to say, "Hey boss, major browsers think our site is broken. Can I take a couple of weeks to fix it?" The change in vocabulary could shift SSL from being seen as a nice-to-have to a must-have.

(Full disclosure: our boss at Vox Media agreed with our engineers about the need for SSL prior to the Mozilla decision, and we're working on a solution now.)

And there's good reason to think this will work. Google, the company behind the industry-leading Chrome browser, is a big SSL supporter. Google is considering taking a similar step with Chrome, and has already started downgrading non-SSL sites in search results.

Ultimately, this is good news for users everywhere. SSL doesn't just protect users from snooping, it also safeguards the integrity of websites, preventing intermediaries from hijacking pages for their own purposes. And with luck, we could soon live in a world where almost every website uses the technology.

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.