One of the main reasons why the use of HTTPS has expanded so much in recent years, especially in 2017, has to do with Chrome’s security warnings. Google has used its browser’s dominant position to motivate (almost compel) developers to make their websites more secure by using encrypted connections instead of simple HTTP.
Now it is Mozilla who seeks to raise this premise a bit more by trying to force the security standard called ” secure contexts “, one that seeks to promote even more secure practices among web developers, taking beyond the simple use of HTTPS to ensure the connection between a website and the browser.
HTTPS for everything
Currently the idea expanded, especially among users, is that if a site is secured with HTTPS, it has already done everything right. This premise fails to include many of the powerful and complex web functions and APIs that these sites use.
The principle behind the “secure contexts” of Firefox is very simple and includes just that: you should force the use of HTTPS in all these functions, such as geolocation, bluetooth, the web notification API, access to the microphone and the camera, the HTTP / 2 protocol, Google AMP, etc.
All of those things can work perfectly well under HTTP, but they represent a security risk for users. Even if the connection between the browser and the web uses HTTPS, one of those unprotected functions can still be opened in a separate window without the user noticing.
More complete security for a more complex web
The web is much more complex now than it was five or ten years ago. Many sites and services offer their users much more than text and images.
Web technologies have evolved by leaps and bounds and are so powerful that we can now do almost anything from the web without the need to install native apps.
The use of HTTPS is the most basic thing that a web developer must currently consider, but only protect the connection between the site and the browser and forget about everything else, especially if it is a complex web with multiple functions, it is like just cover half the strainer.
Secure contexts is not a Mozilla standard, it’s something that I actually started Google in 2014 and that have become requirements of Chrome, Mozilla is now doing the same with Firefox, requiring developers to apply it immediately.
In addition to this, the plans are to stop supporting HTTP web technologies sooner or later, something that they admit will not be a fast and uncomplicated process, after all, the simple adoption of HTTPS by the webs is still a battle that is He is fighting.
Many websites would stop working, because many websites do not apply these security practices. They look for a balance between security and the level of broken things that do not adhere to the standard.
The good news is that both Google and Mozilla seem to be committed to the HTTPS movement, the former has an extremely dominant position, and Mozilla riding on the same train gives him another extra push, especially now that Firefox has taken a second life with Quantum.
Secure contexts also exists as a proposal for W3C, as an attempt to make it one of the practices recommended officially by the consortium that recommends web standards.
It is a standard that is little talked about outside the niche of developers, but it is something of crucial importance for all users. But hey, for something you start.