Mozilla has announced the availability of “opportunistic encryption”, offering unauthenticated encryption over TLS for data that would otherwise be carried via clear text.
Introduced in Firefox 37 which was released this week, it provides better integrity protection for data than raw TCP does when dealing with random network noise. In a blog post, Mozilla developer Patrick McManus said that this would benefit those with a long tail of legacy content that you cannot yet get migrate to https.
He said: “Opportunistic encryption provides a mechanism for an encrypted transport of http:// data. That’s a strict improvement over the clear text alternative.
Currently opportunistic encryption is not available with HTTP/1 servers because that protocol does not carry the scheme, he explained, as part of each transaction is a necessary ingredient for the Alt-Svc approach.
Commenting, Terence Spies, CTO of HP Security Voltage, said that opportunistic encryption is not a “better” solution than TLS, but this standard removes almost all barriers to encrypting web traffic.
“It doesn’t resist attackers that can actively alter traffic, but keeps data private from attackers that are passively recording the contents of network connections,” he said. “If site administrators can enable encryption with a simple configuration switch, it moves us toward an internet where data is encrypted by default.
“It doesn’t solve every security problem, but raises the default security level from unprotected to privacy protected.”