Announcement

Collapse
No announcement yet.

Mozilla Moves Forward With Deprecating Non-Secure HTTP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mozilla Moves Forward With Deprecating Non-Secure HTTP

    Phoronix: Mozilla Moves Forward With Deprecating Non-Secure HTTP

    Earlier this month I wrote about plans being drafted for Mozilla to deprecate non-secure HTTP support moving forward. Those plans have been firmed up and they announced their intent to phase out non-secure HTTP support...

    http://www.phoronix.com/scan.php?pag...cate-Non-HTTPS

  • #2
    I'll be sure to stop using it before then. Without an easy and freely available solution to augment millions of urls for https:// they are jumping the gun.

    Comment


    • #3
      Originally posted by Marc Driftmeyer View Post
      I'll be sure to stop using it before then.
      Then you will have to stop using the Internet. IIRC, I read somewhere that Chrome will deprecate non-HTTPS too.
      Originally posted by Marc Driftmeyer View Post
      Without an easy and freely available solution to augment millions of urls for https:// they are jumping the gun.
      That's why Mozilla, Akamai, Cisco and EFF decided to make https://letsencrypt.org/ which will be launched in mid-2015:
      Code:
      $ sudo apt-get install lets-encrypt
      $ lets-encrypt example.com

      Comment


      • #4
        I've used StartSSL for free SSL certificates for years without problem. Let's Encrypt is also due out in the coming months with an automatic process for getting and installing free SSL certs.

        Mozilla is only just announcing their intent to do this. It'll probably be a couple of years before it's actually fully implemented.

        Comment


        • #5
          Originally posted by Marc Driftmeyer View Post
          I'll be sure to stop using it before then. Without an easy and freely available solution to augment millions of urls for https:// they are jumping the gun.
          Which browser are you going to switch to, then? Chrome is going in the same direction, so that's no answer for you...

          However, I suspect the solution to your problem will be to just use HTTP over SSL/TLS, but without certificate checking. That's not ideal, of course, since you can't trust that you're talking to the site you want - but it does at least give you transport-level encryption, so that traffic isn't going out in plain text.

          Comment


          • #6
            Originally posted by Marc Driftmeyer View Post
            I'll be sure to stop using it before then. Without an easy and freely available solution to augment millions of urls for https:// they are jumping the gun.
            You mean something like this: https://letsencrypt.org/?

            Or something that exist for year like: http://www.startssl.com/

            Comment


            • #7
              "Setting a date after which all new features will be available only to secure websites
              Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy."

              And who is to decide? And privacy violation via SSL/TLS is impossible?


              Is it time to deprecate Mozilla Firefox then?
              Encryption is a nice thing but the web still consists of a plethora of http sites, some where you even can enter data and transmit in without encryption. But kind of killing off all this to live in a sandbox? Furthermore - "secure" connections tend to overwhelm the user with error messages - messages most people can't understand.
              Not all content is encrypted sometimes; e.g. pictures from an ad server. Error message. But which elements are insecure? How do you block them? Are they necessary for the site to work?
              Ownership things. Certificate errors in all the colours of the rainbow. How are people to understand this? How are people to decide and solve? Really make the exception permanent? How trustable are CAs? Is self signed of the same value? And so on.

              I guess we have challenging times ahead.
              Last edited by Adarion; 01 May 2015, 04:29 AM.
              Stop TCPA, stupid software patents and corrupt politicians!

              Comment


              • #8
                Has anybody take into account the use of Firefox as a testing tool for webservices?

                Originally posted by phoronix View Post
                Phoronix: Mozilla Moves Forward With Deprecating Non-Secure HTTP

                Earlier this month I wrote about plans being drafted for Mozilla to deprecate non-secure HTTP support moving forward. Those plans have been firmed up and they announced their intent to phase out non-secure HTTP support...

                http://www.phoronix.com/scan.php?pag...cate-Non-HTTPS


                What kind of nonsense is this?
                It is like allowing only Mercedes brand cars using highways.
                What happens to the hundreds of protocols that are transported over HTTP ( webservices etc. ) inside enterprise LANs?
                In short, has anybody take into account the use of the browser as a debugging tool for webservices and other protocols?

                I do not understand how a closed number of people are going to force the deprecation of so much older protocol, still in the hearth of the Internet core.

                Comment


                • #9
                  This is too good to be true. I like this decision but I really wonder how all the HTTP sites are going to switch to HTTPS.

                  Comment


                  • #10
                    Has anyone thought about the use of the browser as a debugging tool for XML over http

                    But what nonsense is this?
                    It's like allowing only a certain brand of cars using highways.

                    Has anyone thought about the use of the browser as a debugging tool for webservices, for example?
                    How many protocols are transported over http today? The so called "whatever-over-http"?

                    I do not understand how a small group of people intend to make deprecated a protocol that is in the core of the Internet.

                    Comment

                    Working...
                    X