How context security improve the “quality of encryption”
We’ll get to Context Security in a minute but before that, take a step back and analyze the current state of HTTPS. HTTPS adoption is at its all-time high. The latest report by Google shows that almost half of the internet is now encrypted. This is a remarkable achievement, and the credit goes to everyone, especially the browser community. The browsers have continuously pushed for a secure internet and have cracked down mightily on insecure HTTP sites. Recently, Google announced that it would mark all HTTP pages as “Not Secure” starting with Chrome 66.
Contrary to widely held belief, the use of HTTPS isn’t just limited to web pages; it goes far beyond that. That’s because when you’re on a page, there are specific features that work in the background. They too communicate with the web server. HTTP/2, Geolocation, and Payment Request API are some of the most notable features. Because these features transmit information, they must come under the umbrella of HTTPS. And that is precisely what ‘Secure Context’ is intended for.
What exactly is Context security?
Mozilla defines Secure Context as, “a Window or Worker for which there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited.”
Context Security ensures that no or very little communication takes places through the insecure HTTP protocol. This way the likelihood of man-in-the-middle attack is minimized.
In short, Secure Context is encryption everywhere – on the page as well as off the page.
Why securing web pages isn’t enough
There’s a guy named Bob, and he just installed an SSL cert on his website fearing Google Chrome’s pesky “Not Secure” warnings. We’d say, “Good job, Bob!”
Now he implements HTTPS realizing that he’ll need to enable HTTPS on all his pages. We’d say, “Great Job, Bob!”
But,
Bob forgets to deliver a pdf file via HTTPS/TLS. Now we’d say, “Not great, Bob!”
That’s because delivering a page via HTTPS/TLS isn’t enough; it has never been enough. And it’s probably never going to be enough. The transfer of sensitive information could take place through APIs or documents, and that’s why securing them is as important as securing your web pages. If these elements are not delivered via HTTPS, the window isn’t considered to be a secure context.
Firefox requires secure contexts everywhere for new features
In January 2018, Mozilla announced that all new web-exposed features must be served via HTTPS, taking us closer to achieving ‘secure contexts everywhere.’
“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts,” wrote Anne van Kesteren on Mozilla’s official security blog.
Features available only in context security in various browsers
| API | Chrome/Opera | Edge | Safari | Firefox |
| Geolocation | 47 / (Yes) | No restriction; works in secure/non-secure contexts. | (Yes) | 55 |
| Payment Request API (and Basic Card Payment). | (Yes) | (Yes) | No support | Currently not supported; being developed behind the dom.payments.request.enabled pref. |
| Service workers | (Yes) | (Yes) | (Yes) | (Yes) |
| Storage API | (Yes) | (Yes) | No support | (Yes) |
| Web Bluetooth | (Yes) | No support | No support | No support |
| Web MIDI (see MIDIAccess, for example) | (Yes) | No support | No support | No support |
Wrapping Up
Now that the encrypted internet is becoming a norm, secure context certainly raises the bar in improving what we call the “quality of encryption.” Users deserve encryption — not only in what they can see but also in what they can’t.
Get Multi-Domain Wildcard SSL – Secure Unlimited Domains – 62%
