Firefox shoots itself in the foot to annoy you into being more secure

The web has been abuzz this past week with news Mozilla is planning to start making some features work exclusively with secure HTTP connections. It appears the makers of Firefox want to encourage users and website administrators to use secure HTTP (HTTPS) connections all the time. To encourage secure behaviour, Mozilla plans to start doing two things:

1. Begin developing new features that work with secure connections only.

2. Begin disabling existing features when a user is connected to an unsecured website.

In some ways I think Mozilla has their heart in the right place. I might even go so far as to applaud their efforts in developing new features exclusively for HTTPS connections. I think it makes sense to encourage administrators to set up secure websites and to encourage people running Firefox to use these security features. I am a big fan of projects like HTTPS Everywhere and Let’s Encrypt, projects which try to make setting up and using secure websites easier.

My issue with Mozilla’s plan is with the second part. Intentionally disabling existing features in a product to encourage people to use their software differently is unlikely to go well. A lot of websites simply do not need to be secure. Sure, anything we log into (a bank, a forum, an on-line store) should be set up in a secure manner. It makes sense that if you are sending your password or a credit card number over the ether that you want that information to remain private. However, there isn’t a strong motivation to encrypt publicly accessible data such as a news website, the weather, Wikipedia, home cooking websites and so on. Many people spend a lot of their time visiting websites that require no login and do not contain (or collect) sensitive information.

Trying to pressure web browser users to visit secure versions of these open, publicly available pages is not in anyone’s best interest. The web administrators do not want the extra overhead in cost or performance that secure connections require. The browser users are going to notice the connection is slower. No one wins in this scenario, except maybe people selling security certificates.

The first thing a person is going to think if features stop working on a website that previously worked is “The website is broken.” But if it happens across multiple websites the user will soon learn “Firefox is broken.” Firefox’s market share is already taking hits from Chrome and other competitors. Intentionally disabling features in Firefox is only going to weaken Mozilla’s brand and encourage people to seek alternatives.

One of my main concerns here is that website administrators are going to realize certain features no longer work on their websites for Firefox users and, rather than go to the effort of acquiring and enabling a security certificate for content that doesn’t call for extra security, they’re simply going to put a “This website works best in Chrome/Internet Explorer” at the top of the page. I remember seeing those banners a lot in the years before Firefox became a popular alternative to Internet Explorer. I do not wish to return to that time. I think it would be a shame if Firefox lead us back into that scenario.