Announcement

Collapse
No announcement yet.

Mozilla Start Drafting Plans To Deprecate Insecure HTTP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mozilla Start Drafting Plans To Deprecate Insecure HTTP

    Phoronix: Mozilla Start Drafting Plans To Deprecate Insecure HTTP

    Richard Barnes of Mozilla's Security Engineering team is calling for the deprecation of insecure HTTP...

    http://www.phoronix.com/scan.php?pag...-Insecure-HTTP

  • #2
    If they want to deprecate non-encrypted connections, they should focus on all aspects of certificate pinning first.

    Pinning header, Certificate Transparency logs, DANE, DNSSEC and their own CA so everyone can get certs for free.

    Right now it isn't really secure if every ca can make certs for every site and only chrome will notice it and only on sites that google pinned themselfes

    Comment


    • #3
      That's scary

      Along with Mozilla's policy of only connecting to secure sites with CA-approved certificates, this would effectively require all websites to be centrally authorized before publication.

      Needless to say, that's not compatible with a free web.

      Comment


      • #4
        Originally posted by phoronix View Post
        Phoronix: Mozilla Start Drafting Plans To Deprecate Insecure HTTP

        Richard Barnes of Mozilla's Security Engineering team is calling for the deprecation of insecure HTTP...

        http://www.phoronix.com/scan.php?pag...-Insecure-HTTP
        Next step: People notice it was stupid to remove HTTP because transparent caching proxies no longer work so everyone run out of capacity. As a result keys are given to ISP's so they can terminate SSL, cache, and send connection forward as SSL

        Comment


        • #5
          Originally posted by nanonyme View Post
          Next step: People notice it was stupid to remove HTTP because transparent caching proxies no longer work so everyone run out of capacity. As a result keys are given to ISP's so they can terminate SSL, cache, and send connection forward as SSL
          Maybe I just don't have a sense of humor, but I am fairly certain that the majority of web traffic comes from media content anyways, so I don't think that is a reasonable conclusion.

          Comment


          • #6
            Yeah, and deprecate anonymity too.
            In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
            If you have an opinion, we want to know who you are and where you live!

            Comment


            • #7
              Originally posted by uid313 View Post
              Yeah, and deprecate anonymity too.
              In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
              If you have an opinion, we want to know who you are and where you live!
              Seems like the excuse of a lifetime to me for NSA and friends

              Comment


              • #8
                Originally posted by nanonyme View Post
                Next step: People notice it was stupid to remove HTTP because transparent caching proxies no longer work so everyone run out of capacity. As a result keys are given to ISP's so they can terminate SSL, cache, and send connection forward as SSL
                Best of luck caching anything on the Internet today. Almost all content is dynamic.

                I ran transparent caching for years and when it came down under 12% hit rate (*NOT* including video), I just gave up.

                Comment


                • #9
                  Originally posted by uid313 View Post
                  Yeah, and deprecate anonymity too.
                  In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
                  If you have an opinion, we want to know who you are and where you live!
                  What does TLS have to do with "provide data to the government"?
                  There are CAs that check only if you are able to receive mails for that domain you want a certificate for and if you purchase webspace your name and adress are usually already known to the hoster.

                  If it is a blogging platform, the blog hoster will get the cert for the domain and you still only register with an anonymous mailadress.
                  Don't see your problem.

                  Comment


                  • #10
                    Originally posted by uid313 View Post
                    Yeah, and deprecate anonymity too.
                    In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
                    If you have an opinion, we want to know who you are and where you live!
                    Or, you know, you could use encryption without the authoritative CA. You know like the encryption that Firefox now tries to default to if full SSL isn't in place?

                    Comment

                    Working...
                    X