Announcement

Collapse
No announcement yet.

Mozilla Start Drafting Plans To Deprecate Insecure HTTP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by bemerk View Post
    If they want to deprecate non-encrypted connections, they should focus on all aspects of certificate pinning first.

    Pinning header, Certificate Transparency logs, DANE, DNSSEC and their own CA so everyone can get certs for free.

    Right now it isn't really secure if every ca can make certs for every site and only chrome will notice it and only on sites that google pinned themselfes
    This is not true, a website admin can use pinning and Firefox supports that since Firefox 35 (release 13th January this year):

    https://developer.mozilla.org/en-US/...ic_Key_Pinning

    On the topic of their own CA and free certificates, they are doing that:

    https://letsencrypt.org/howitworks/

    That is one of the reasons Chrome developers have also been able to suggest: let's try and get everyone on HTTPS.

    Comment


    • #32
      Originally posted by NatTuck View Post
      Along with Mozilla's policy of only connecting to secure sites with CA-approved certificates, this would effectively require all websites to be centrally authorized before publication.

      Needless to say, that's not compatible with a free web.
      This is how free a website is currently:

      - you have to register your domain with a registrar and they register it with a top level domain registry
      - or you get a blog or something with a blogging service and you get a sub-domain: somethingwhatever.blogger.com
      - most people don't host their own website (!) so how secure is that !? 'cloud computing' (AWS is an example of that) is probably the most stupid development in that regard. The perfect freedom-loosing solution if you are using a cloud from a US-company as a foreigner -> http://media.ccc.de/browse/congress/...ar_bowden.html

      If everyone moves to HTTPS will this make you less free if we add to this list:
      - there are different CA's all over the world within different countries with different laws from which you can get a certificate

      So yes, maybe a little.

      If all the traffic people generate when visiting webpages is being stored and analyzed (especially identifiers like email addresses and passwords and login-cookies !) by organizations like NSA and GCHQ how free is that web ?

      I think one step would be to at least encrypt all that data so all they get is the 'meta data'.

      Chrome and Firefox developers can only support things that will actually work and improve things.

      DNSSEC/DANE depend fully on the DNS-system (if we depend on DNSSEC for HTTPS this means more centralization) and NameCoin or something along those lines will not be widely deployed as it won't solve anything for domains currently in use.

      What you do see is standards people working on the equivalent of certificate transparency for the DNSSEC-root and/or top level domains.

      Comment


      • #33
        Originally posted by curaga View Post
        Move to a better browser, something that doesn't trust CAs
        You can make it so you don't have to trust the CA (for frequent site visitors):
        https://developer.mozilla.org/en-US/...ic_Key_Pinning

        Comment


        • #34
          Originally posted by GreatEmerald View Post
          Yea, certificates are a pain. I have my own website and would love to use HTTPS, but getting a certificate that browsers acknowledge is hard; and it is serving static content only, aside from the control panel itself, so it's not worth the bother. Let's Encrypt does sound pretty good, but then I'd imagine Mozilla should start thinking about whether to try and deprecate http only after it's launched.
          The launch of Let's encrypt is planned for half way this year.

          If you look at the timeline people are proposing for deprecation: it's years.

          Comment


          • #35
            Originally posted by fguerraz View Post
            Deprecate insecure HTTP and I may start deprecating Firefox on my desktop and android and advise my friends and relatives to do the same.

            I want HTTP and HTTP/2 without the need for SSL. What is this retarded idea that we should need SSL for everything? More important than "what" we're trying to protect people against is "who", and if the answer is the government then if they want to know what you're doing they just ask Google and the news website your browsing and in most cases they'll be happy to comply...

            I don't want to have to pay extra money to run my website, I want to keep it simple and reliable and don't have to change my certificate every year. F**K SSL everywhere, just let people use SSL if they want to.
            Then for HTTP/2 you'll be stuck with IE. Because both Firefox and Chrome will only allow HTTP/2 over HTTPS because they want to promote security and because of compatibility problems. And HTTP/2 over non-HTTPS might not work because of compatibility problems.

            My guess would be Opera will do what Firefox and Chrome do in this regard.

            You are still free to use HTTP in the long run.

            But the idea is you'll get a small icon which says your site is insecure which means:
            - the browser recommend the user not to submit any data to your site (personal information in forms like home addresses, passwords, email addresses, etc.)
            - the webpages the user visits can be seen by the networks
            - downloading software over HTTP is insecure (!)
            - site content could have been modified in transit by an attacker or the networks, this could mean:
            * ads are replaced, website owner doesn't get payed for the ads.
            * malware could be included in the page thus the image of the website owner will be tarnished
            * webpage can be altered to say something completely the opposite of what the website owner intended

            This is why things like this now exist:
            https://twitter.com/httpshaming

            You see many examples:
            https://twitter.com/HTTPshaming/stat...16240849326080

            How about turning on the web-camera and audio recording from a webpage ? Don't you want that only on HTTPS ?

            Because that is the sort of changes browser vendors are making.

            You really don't want anyone in the middle between your browser and a website to be able to include other code which sends that information somewhere else as well.

            Comment


            • #36
              This is just silly! The majority of content on the Internet doesn't need SSL!

              Mozilla is really working themselves into obsolescence these days. I used to love Firefox but for the last couple of years I rarely use it. Chrome is so much more comfortable as a browser, it stays out of your way and do what you want it to do with a minimum of fuss. Firefox on the other hand is always complaining about something or checking for updates or whatever, use a lot of screen estate and is slow to start up.

              Comment


              • #37
                Originally posted by Marc Driftmeyer View Post
                Whatever Mozilla decides they need to address the absolute pig that is 37.0.1 that eats the main core on an 8 Core FX-8350 routinely with Amazon.com.

                Turning off HTTPS extension helps for about 5 minutes, then the 4 tabs turns into about 1.5GB and 106% CPU main core hogging.

                I'm waiting on Debian to get GNOME 3.16 up so I can use Epiphany with WebKitGTK+ 2.8. That of course has issues I pointed out to Debian, including the fact their GStreamer 1.5 isn't correct and WebKit Trunk craps the bed until they fix it.
                No kidding. There is something very definitely piggish going on in Firefox, and it isn't just v37, its been this way for quite a long time. Just leave it running *long* enough, and it sucks up all your memory, cranks up all your cores, and turns into a brutal resource hog. Wish they would just stop adding bullshit "features" that nobody needs or wants or uses, and focus on making it actually usable again.

                Mozilla's plan SHOULD be;
                1) Strip all the bullshit,
                2) Fix all the brokenness.
                ... in that order, because there is no point in fixing brokenness in bullshit that should be stripped.

                Comment


                • #38
                  Originally posted by Lennie View Post
                  The launch of Let's encrypt is planned for half way this year.

                  If you look at the timeline people are proposing for deprecation: it's years.
                  But why talk about it before there's a good CA process in the first place?

                  Comment


                  • #39
                    We really need to add the overhead of ssl handshakes when pulling a weather report from local news?
                    Oh my god, I can't believe how my privacy is being violated, the government knows that I want to know what the weather is like outside, this must mean that I actually go outside sometimes and they know it!!!!!!!!

                    Comment


                    • #40
                      Originally posted by droidhacker View Post
                      We really need to add the overhead of ssl handshakes when pulling a weather report from local news?
                      Oh my god, I can't believe how my privacy is being violated, the government knows that I want to know what the weather is like outside, this must mean that I actually go outside sometimes and they know it!!!!!!!!
                      It is not just about privacy, but also about authenticity. I bet you wouldn't be too happy if your ISP or some other MitM injected some extra advertising onto the weather website. It would be even worse if some malicious javascript got injected so that your browser actively participated in a DDoS attack against another website (http://arstechnica.com/security/2015...sed-on-github/). HTTPS prevents both of these types of attacks.

                      Comment

                      Working...
                      X