The latest version of Firefox has a new security feature that aims to put a band-aid over unencrypted website connections. Firefox 37 rolled out earlier this week with support for opportunistic encryption, or OE. You can consider OE sort of halfway point between no encryption (known as clear text) and full HTTPS encryption that’s simpler to implement.
For users, this means you get at least a modicum of protection from passive surveillance (such as NSA-style data slurping) when sites support OE. It will not, however, protect you against an active man-in-the-middle attack as HTTPS does, according to Mozilla developer Patrick McManus, who explained Firefox’s OE rollout on his personal blog.
Unlike HTTPS, OE uses an unauthenticated encrypted connection. In other words, the site doesn’t need a signed security certificate from a trusted issuer as you do with HTTPS. Signed security certificates are a key component of the security scheme with HTTPS and are what browsers use to trust that they are connecting to the right website.
The impact on you: Firefox support is only half of the equation for opportunistic encryption. Websites will still have to enable support on their end for the feature to work. Site owners can get up and running with OE in just two steps, according to McManus. But that will still require enabling an HTTP/2 or SPDY server, which, as Ars Technica points out, may not be so simple. So while OE support in Firefox is a good step for users it will only start to matter when site owners begin to support it.
More than OE
Beyond support for OE, the latest build of Firefox also adds an improved way to protect against bad security certificates. The new feature called OneCRL lets Mozilla push lists of revoked certificates to the browser instead of depending on an online database.
The new Firefox also adds HTTPS to Bing when you use Microsoft’s search engine from the browser’s built-in search window.