SoylentNews is people
SoylentNews
from the it's-the-end-of-the-web-as-we-know-it-and-i-feel-fine dept.
Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.
Richard Barnes of Mozilla writes:
In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.
See also this document outlining the initial plans.
(Score: 1, Insightful) by Anonymous Coward on Wednesday April 15 2015, @05:02AM
I'll just generate self-signed certificates for all my crappy little server-side scripts that speak HTTP directly because it's such a pain to install a whole web server when HTTP is such a very simple protocol. On second thought, nope I'll just uninstall Firefux instead, because a bunch of jerks decided they don't want it to be a web browser anymore. Mozilla prefers to make a thinly-veiled thin-client for social media sites? Screw them.
(Score: -1, Troll) by Anonymous Coward on Wednesday April 15 2015, @10:09AM
Mozilla prefers to make a thinly-veiled thin-client for social media sites? Screw them.
Check your privilege and educate yourself. Social media is one of the great ways voices from the margins are heard on the Internet. Mozilla, by standing up for the silenced and fostering an inclusive community, adds far more value to society than many imagine.
(Score: 5, Touché) by kaszz on Wednesday April 15 2015, @10:15AM
It may also be of marginal value to read those voices.
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @02:42AM
If you're in a democracy those voices often matter about as much your voice.
(Score: 0) by Anonymous Coward on Wednesday April 15 2015, @03:58PM
A Poe's law post if I have ever seen one.
(Score: 2) by urza9814 on Wednesday April 15 2015, @02:46PM
I'm in the same situation. Except my scripts have all used SSL from the start, because it's really not that hard. It takes less than 5 minutes to install Apache, and less than five minutes more to configure it for SSL. And it'll run on a $20 piece of hardware, so since you're describing this box as a "server" it surely has enough power for that.
I'm sure Mozilla will have an option buried in the about:config somewhere to disable this...but if not, just set up a proper interface; it really should not be that hard, and do you really want to be managing your servers through insecure channels anyway?
(Score: 2, Interesting) by termigator on Wednesday April 15 2015, @05:43PM
The problem is there is the push to reject self-signed certificates. Forcing https on the masses will increase the costs for anyone to run a server on the web and put too much control in CAs. There is also the likely side effect of making things more insecure as certificate issuers may become less rigourous, creating a false sense of trust.
The use of encryption does not mean things are more secure.
(Score: 2) by urza9814 on Wednesday April 15 2015, @06:42PM
If you don't want them to be rejected, install them onto the local system so they are trusted. That is the only secure option. Making the browser blindly accept self-signed certs doesn't just affect sites using self-signed certs; it makes every single website highly susceptible to MITM attacks. It defeats the entire purpose of having SSL. I don't want my bank becoming insecure just so you can pretend your personal website isn't.
You can get certs for free. Mozilla is working with the EFF and others to make this even easier with LetsEncrypt.org. I have two personal websites which use SSL right now. I actually am not really using either of them yet, I just enabled SSL because it seemed like a good idea. It didn't cost me a single cent to do so, and only took about thirty minutes of my time. Get a free cert, drop the certs on the server, and change five or ten lines of the apache config. I've got two domains, two SSL certs, and six virtual servers all for $30/year so far. You could pay for that by picking bottles up off the sidewalk.
CAs that don't properly validate the certs they're issuing tend to get removed from browsers. Look at what happened recently with CNNIC. They were caught issuing crappy certs, and Mozilla (and others) removed them as a CA because of it.
Correct. But Mozilla is working not only to require that encryption, but also to provide that encryption and to verify that encryption. And they aren't the only ones doing so. They've been working to push implementation of properly secured connections for a while already, and this shows that they intend to continue doing so for years to come.
It seems like Mozilla has already thought of and solved all these problems. I'm not entirely sure about their UI team, but the rest of them do seem to know what they're doing. :)
(Score: 2) by juggs on Thursday April 16 2015, @12:21AM
Will be interesting to see how the EFF et al. efforts pan out with their Let's Encrypt initiative https://letsencrypt.org/ [letsencrypt.org] - certs for all for free.
Provided they can jump through the hoops and set up their procedures suitably, I can't see why there root CA would not become commonplace in browser / OS cert hives.
That could leave just the Extended Validation (EV) green bar or shiny gold padlock types of fluff in the hands of the pre-existing CAs to gouge people on price for.