This is not true, a website admin can use pinning and Firefox supports that since Firefox 35 (release 13th January this year):



On the topic of their own CA and free certificates, they are doing that:



That is one of the reasons Chrome developers have also been able to suggest: let's try and get everyone on HTTPS.

This is how free a website is currently:

- you have to register your domain with a registrar and they register it with a top level domain registry
- or you get a blog or something with a blogging service and you get a sub-domain: somethingwhatever.blogger.com
- most people don't host their own website (!) so how secure is that !? 'cloud computing' (AWS is an example of that) is probably the most stupid development in that regard. The perfect freedom-loosing solution if you are using a cloud from a US-company as a foreigner -> http://media.ccc.de/browse/congress/...ar_bowden.html

If everyone moves to HTTPS will this make you less free if we add to this list:
- there are different CA's all over the world within different countries with different laws from which you can get a certificate

So yes, maybe a little.

If all the traffic people generate when visiting webpages is being stored and analyzed (especially identifiers like email addresses and passwords and login-cookies !) by organizations like NSA and GCHQ how free is that web ?

I think one step would be to at least encrypt all that data so all they get is the 'meta data'.

Chrome and Firefox developers can only support things that will actually work and improve things.

DNSSEC/DANE depend fully on the DNS-system (if we depend on DNSSEC for HTTPS this means more centralization) and NameCoin or something along those lines will not be widely deployed as it won't solve anything for domains currently in use.

What you do see is standards people working on the equivalent of certificate transparency for the DNSSEC-root and/or top level domains.

You can make it so you don't have to trust the CA (for frequent site visitors):

The launch of Let's encrypt is planned for half way this year.

If you look at the timeline people are proposing for deprecation: it's years.

Then for HTTP/2 you'll be stuck with IE. Because both Firefox and Chrome will only allow HTTP/2 over HTTPS because they want to promote security and because of compatibility problems. And HTTP/2 over non-HTTPS might not work because of compatibility problems.

My guess would be Opera will do what Firefox and Chrome do in this regard.

You are still free to use HTTP in the long run.

But the idea is you'll get a small icon which says your site is insecure which means:
- the browser recommend the user not to submit any data to your site (personal information in forms like home addresses, passwords, email addresses, etc.)
- the webpages the user visits can be seen by the networks
- downloading software over HTTP is insecure (!)
- site content could have been modified in transit by an attacker or the networks, this could mean:
* ads are replaced, website owner doesn't get payed for the ads.
* malware could be included in the page thus the image of the website owner will be tarnished
* webpage can be altered to say something completely the opposite of what the website owner intended

This is why things like this now exist:


You see many examples:


How about turning on the web-camera and audio recording from a webpage ? Don't you want that only on HTTPS ?

Because that is the sort of changes browser vendors are making.

You really don't want anyone in the middle between your browser and a website to be able to include other code which sends that information somewhere else as well.

This is just silly! The majority of content on the Internet doesn't need SSL!

Mozilla is really working themselves into obsolescence these days. I used to love Firefox but for the last couple of years I rarely use it. Chrome is so much more comfortable as a browser, it stays out of your way and do what you want it to do with a minimum of fuss. Firefox on the other hand is always complaining about something or checking for updates or whatever, use a lot of screen estate and is slow to start up.

No kidding. There is something very definitely piggish going on in Firefox, and it isn't just v37, its been this way for quite a long time. Just leave it running *long* enough, and it sucks up all your memory, cranks up all your cores, and turns into a brutal resource hog. Wish they would just stop adding bullshit "features" that nobody needs or wants or uses, and focus on making it actually usable again.

Mozilla's plan SHOULD be;
1) Strip all the bullshit,
2) Fix all the brokenness.
... in that order, because there is no point in fixing brokenness in bullshit that should be stripped.

But why talk about it before there's a good CA process in the first place?

We really need to add the overhead of ssl handshakes when pulling a weather report from local news?
Oh my god, I can't believe how my privacy is being violated, the government knows that I want to know what the weather is like outside, this must mean that I actually go outside sometimes and they know it!!!!!!!!

It is not just about privacy, but also about authenticity. I bet you wouldn't be too happy if your ISP or some other MitM injected some extra advertising onto the weather website. It would be even worse if some malicious javascript got injected so that your browser actively participated in a DDoS attack against another website (http://arstechnica.com/security/2015...sed-on-github/). HTTPS prevents both of these types of attacks.