Announcement

Collapse
No announcement yet.

Mozilla Start Drafting Plans To Deprecate Insecure HTTP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by uid313 View Post
    Yeah, and deprecate anonymity too.
    In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
    If you have an opinion, we want to know who you are and where you live!
    If you buy webspace, the hoster will have your adress already.
    If it is something like wordpress or blogger, some platform, its hoster will get a wildcard cert for all subdomains and you can still register with a trash-mail like right now.

    Certificates can also be domainvalidated so all that is checked is if you can receive mail for that domain.
    Not much difference to what we have right now.

    Comment


    • #12
      letsencrypt

      When letsencrypt is functional, https should become pretty convenient.

      https://letsencrypt.org/howitworks/

      Comment


      • #13
        Originally posted by vadix View Post
        Maybe I just don't have a sense of humor, but I am fairly certain that the majority of web traffic comes from media content anyways, so I don't think that is a reasonable conclusion.
        That is exactly what he is talking about. That media content is often cached on ISP level.

        Comment


        • #14
          There are 2 different security issues that HTTPS addresses.
          1. Authentication. You received what the website actually sent.
          2. Privacy. Only you know what the website sent.

          For many websites all that is needed/wanted is authentication. By switching to full blown HTTPS, you get both security features, but for somethings (static images), all you really want is authentication. For this type of content, HTTPS providing privacy is actually bad because breaks things like transparent proxies.

          In the end, I would rather see everything delivered via HTTPS, but I think the best solution would be to have everything to default to fully secure and have the website selectively mark content as authentication only.

          Comment


          • #15
            ISP's must NEVER have keys

            Originally posted by carewolf View Post
            That is exactly what he is talking about. That media content is often cached on ISP level.
            ISP's have gotten so malicious that giving them SSL keys would be the worst possible idea. I don't want them running caching proxies anyway, I found that that can force terminating a connection and making a new one to see modifications to a page. The counter to that right now is HTTPS, I've found that effective against both carrier caching and carriers attempting to serve degraded, compressed images. The latter can be blocked by NoScript, the former cannot be as it does not involve client-side code. If any SSH keys are given to ISP's we'll need to be able to blacklist every key they are suspected of having. I would tolerate dial-up speeds, capped from the first byte , even charged for by the kilobyte, long before I would tolerate carriers tampering with my data. I have never once seen a carrier-injected ad due to my aggressive countermeasures, I even have my own router's URL 127.0.0.1'ed out in /etc/hosts, if I need to connect to it's admin page I use the IP address.

            Right now we have Verizon's tracking headers (at least we stopped Turn), against which HTTPS works and Torbrowser offers 100% protection, T-Mobiles "web guard" proxy, and the known fact that most ISP's keep and presumably sell detailed lists of sites visited. We are rapidly approaching a future where everyone will have to use Tor for all online activity, and in order to handle the bandwidth Tor will have to require every connection to serve as an exit node. This will slow down the Internet as whole by a factor of three but may by the only defense against carriers who are so deeply malicious they make the NSA look like a joke.

            Comment


            • #16
              Yea, certificates are a pain. I have my own website and would love to use HTTPS, but getting a certificate that browsers acknowledge is hard; and it is serving static content only, aside from the control panel itself, so it's not worth the bother. Let's Encrypt does sound pretty good, but then I'd imagine Mozilla should start thinking about whether to try and deprecate http only after it's launched.

              Comment


              • #17
                This may have sense for internet but what about multitude of other networks (yes, there are many of them) where it simply doesn't make any sense to use certificates?

                Comment


                • #18
                  Right now the only requirement to run a website is to have a white ip address (even this is optional). Domain name and certificate are optional. They want certificate to be a requirement, this is not acceptable. I'm for more security and encryption but I'm against removing choise.

                  Comment


                  • #19
                    Deprecate insecure HTTP and I may start deprecating Firefox on my desktop and android and advise my friends and relatives to do the same.

                    I want HTTP and HTTP/2 without the need for SSL. What is this retarded idea that we should need SSL for everything? More important than "what" we're trying to protect people against is "who", and if the answer is the government then if they want to know what you're doing they just ask Google and the news website your browsing and in most cases they'll be happy to comply...

                    I don't want to have to pay extra money to run my website, I want to keep it simple and reliable and don't have to change my certificate every year. F**K SSL everywhere, just let people use SSL if they want to.

                    Comment


                    • #20
                      Originally posted by NatTuck View Post
                      That's scary
                      I'd say it's frustrating but hardly scary. Mozilla has made a lot bad of decisions in recent years and FF usage share isn't what it used to be.

                      Comment

                      Working...
                      X