Announcement

Collapse
No announcement yet.

Mozilla Start Drafting Plans To Deprecate Insecure HTTP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GreatEmerald
    replied
    Yea, certificates are a pain. I have my own website and would love to use HTTPS, but getting a certificate that browsers acknowledge is hard; and it is serving static content only, aside from the control panel itself, so it's not worth the bother. Let's Encrypt does sound pretty good, but then I'd imagine Mozilla should start thinking about whether to try and deprecate http only after it's launched.

    Leave a comment:


  • Luke
    replied
    ISP's must NEVER have keys

    Originally posted by carewolf View Post
    That is exactly what he is talking about. That media content is often cached on ISP level.
    ISP's have gotten so malicious that giving them SSL keys would be the worst possible idea. I don't want them running caching proxies anyway, I found that that can force terminating a connection and making a new one to see modifications to a page. The counter to that right now is HTTPS, I've found that effective against both carrier caching and carriers attempting to serve degraded, compressed images. The latter can be blocked by NoScript, the former cannot be as it does not involve client-side code. If any SSH keys are given to ISP's we'll need to be able to blacklist every key they are suspected of having. I would tolerate dial-up speeds, capped from the first byte , even charged for by the kilobyte, long before I would tolerate carriers tampering with my data. I have never once seen a carrier-injected ad due to my aggressive countermeasures, I even have my own router's URL 127.0.0.1'ed out in /etc/hosts, if I need to connect to it's admin page I use the IP address.

    Right now we have Verizon's tracking headers (at least we stopped Turn), against which HTTPS works and Torbrowser offers 100% protection, T-Mobiles "web guard" proxy, and the known fact that most ISP's keep and presumably sell detailed lists of sites visited. We are rapidly approaching a future where everyone will have to use Tor for all online activity, and in order to handle the bandwidth Tor will have to require every connection to serve as an exit node. This will slow down the Internet as whole by a factor of three but may by the only defense against carriers who are so deeply malicious they make the NSA look like a joke.

    Leave a comment:


  • PRab
    replied
    There are 2 different security issues that HTTPS addresses.
    1. Authentication. You received what the website actually sent.
    2. Privacy. Only you know what the website sent.

    For many websites all that is needed/wanted is authentication. By switching to full blown HTTPS, you get both security features, but for somethings (static images), all you really want is authentication. For this type of content, HTTPS providing privacy is actually bad because breaks things like transparent proxies.

    In the end, I would rather see everything delivered via HTTPS, but I think the best solution would be to have everything to default to fully secure and have the website selectively mark content as authentication only.

    Leave a comment:


  • carewolf
    replied
    Originally posted by vadix View Post
    Maybe I just don't have a sense of humor, but I am fairly certain that the majority of web traffic comes from media content anyways, so I don't think that is a reasonable conclusion.
    That is exactly what he is talking about. That media content is often cached on ISP level.

    Leave a comment:


  • You-
    replied
    letsencrypt

    When letsencrypt is functional, https should become pretty convenient.

    https://letsencrypt.org/howitworks/

    Leave a comment:


  • bemerk
    replied
    Originally posted by uid313 View Post
    Yeah, and deprecate anonymity too.
    In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
    If you have an opinion, we want to know who you are and where you live!
    If you buy webspace, the hoster will have your adress already.
    If it is something like wordpress or blogger, some platform, its hoster will get a wildcard cert for all subdomains and you can still register with a trash-mail like right now.

    Certificates can also be domainvalidated so all that is checked is if you can receive mail for that domain.
    Not much difference to what we have right now.

    Leave a comment:


  • Kushan
    replied
    Originally posted by uid313 View Post
    Yeah, and deprecate anonymity too.
    In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
    If you have an opinion, we want to know who you are and where you live!
    Or, you know, you could use encryption without the authoritative CA. You know like the encryption that Firefox now tries to default to if full SSL isn't in place?

    Leave a comment:


  • bemerk
    replied
    Originally posted by uid313 View Post
    Yeah, and deprecate anonymity too.
    In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
    If you have an opinion, we want to know who you are and where you live!
    What does TLS have to do with "provide data to the government"?
    There are CAs that check only if you are able to receive mails for that domain you want a certificate for and if you purchase webspace your name and adress are usually already known to the hoster.

    If it is a blogging platform, the blog hoster will get the cert for the domain and you still only register with an anonymous mailadress.
    Don't see your problem.

    Leave a comment:


  • Shaman666
    replied
    Originally posted by nanonyme View Post
    Next step: People notice it was stupid to remove HTTP because transparent caching proxies no longer work so everyone run out of capacity. As a result keys are given to ISP's so they can terminate SSL, cache, and send connection forward as SSL
    Best of luck caching anything on the Internet today. Almost all content is dynamic.

    I ran transparent caching for years and when it came down under 12% hit rate (*NOT* including video), I just gave up.

    Leave a comment:


  • nanonyme
    replied
    Originally posted by uid313 View Post
    Yeah, and deprecate anonymity too.
    In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
    If you have an opinion, we want to know who you are and where you live!
    Seems like the excuse of a lifetime to me for NSA and friends

    Leave a comment:

Working...
X