In its quest to a safer web, Mozilla just announced they are going to restrict new firefox features to webpages served through HTTPS.
Even if i'm completely convinced that HTTPS should be used everywhere i reckon that it can't be done in all cases.
Sometimes it's not possible to deploy HTTPS. Here is some examples which come to my mind :
- If the webserver isn't connected to the Internet, it's getting complicated to get a valid cert (it's a completely legitimate use case to deploy a webserver without Internet access).
- If the webclient can't keep the timedate while off it can be complicated to validate a cert too (many devices don't have a realtime clock like all the raspberries).
- When you are using a machine with an outdated openssl not too old but old enough to not being compatible with modern crypto…
That's for all these reasons that contrary to many common guidelines, I don't redirect unencrypted trafic to HTTPS. It's a choice i let to my visitors. If they wan't secure content they can have it, if they don't I won't force them.
Well, I hope Mozilla won't extend this restriction to their older features.