SoylentNews is people
SoylentNews
from the it's-the-end-of-the-web-as-we-know-it-and-i-feel-fine dept.
Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.
Richard Barnes of Mozilla writes:
In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.
See also this document outlining the initial plans.
(Score: 4, Interesting) by frojack on Wednesday April 15 2015, @05:34AM
Reading the news or some static page about gardening or the news hardly warrants the effort.
In fact, I see very little content on the web that SHOULD be encrypted, but which isn't.
When you consider how badly broken ssl is [theregister.co.uk] it seems the effort would be better spent fixing THAT than convincing everybody into a weak and vulnerable system of encryption. Converting email to encryption by default would make more sense.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by Adamsjas on Wednesday April 15 2015, @05:41AM
I agree. Mozilla: Why is encryption a bolt on in Thunderbird instead of built in?
(Score: 2, Informative) by David_W on Wednesday April 15 2015, @01:24PM
Actually, encryption is built-in to Thunderbird. However, it is only the certificate-based kind of encryption. The bolt-on (Enigmail) is for PGP-based web of trust encryption.
(Score: 0) by Anonymous Coward on Wednesday April 15 2015, @06:55AM
(Score: 3, Insightful) by Tork on Wednesday April 15 2015, @07:20AM
Reading the news or some static page about gardening or the news hardly warrants the effort.
Isn't the point that even seemingly innocuous information captured via a method like this could be used against you?
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by Wootery on Thursday April 16 2015, @09:43AM
Precisely. An example: if someone has a habit of reading articles about coming out of the closet, it's certainly not a crime, but it still might be something they'd rather want kept secret.
(Score: 5, Insightful) by Marand on Wednesday April 15 2015, @07:24AM
Reading the news or some static page about gardening or the news hardly warrants the effort.
In fact, I see very little content on the web that SHOULD be encrypted, but which isn't.
Secrecy is one reason to encrypt, but not the only one. Encryption also discourages certain bad behaviour like ISPS and other parties inserting advertisements into pages [google.com], for a common example. You also can't trust public access points not to mangle your traffic for personal gain; why not inject a few adverts and make a buck or two off of it? Plus there's always the possibility of a malicious third party getting access and injecting malicious code, such as the recent attack on github [arstechnica.com].
Really, encryption by default is a great idea and should be embraced. The problem is that it's currently a pain in the ass to deal with when all you want to do is get a page up and running. Getting encryption going is already enough effort that it's unattractive to use, but then you have everobody demonizing self-signed certificates and pushing you to use properly signed ones, which means even more effort and expense.
That's bullshit because for most uses, self-signed certs are good enough and would limit abuse, but browsers throw up giant warnings and panic buttons that say things like "Get me out of here!" if you try, making it look like insecure http traffic is safer. It's doubly bullshit because it's essentially telling you that, if you want encryption, you must either shell out or have your site be shunned. It's easier to the visitor if you just don't bother.
Other protocols have made similar moves, with encryption either being bolted on (such as telnet-ssl, ftps) or new alternatives appearing to do the same job with encryption (ssh, scp, sftp). The difference is they're usually less of a headache to set up and don't all harass you for using self-signed certificates. Maybe you get a one-time "are you sure?" that gets saved afterward, without all the sky-is-falling melodrama every page visit.
TL;DR: Deprecate unencrypted http? Great idea! Just fix the fucked up SSL certificates situation first, jackasses.
(Score: 3, Informative) by DNied on Wednesday April 15 2015, @07:48AM
Encryption can't fix that. The browser at an access point might still insert anything into the page source, post-decryption.
Maybe, but we're not talking about encryption by default (à la HTTPS-Everywhere). Rather, we're talking about deprecating plain HTTP, which IMO is not a good idea. Lose the human readability of a data stream and you'll lose not just the ability to tamper with the stream, but the ability to check what's going in and out of your LAN too.
(Score: 4, Informative) by Marand on Wednesday April 15 2015, @08:21AM
Encryption can't fix that. The browser at an access point might still insert anything into the page source, post-decryption.
I don't think you're talking about the same thing I am. A "public access point" generally means an open wireless AP, such as what you find in places like stores, restaurants, and coffee shops. You connect with your tablet, phone, or laptop and browse using your hardware on their network. HTTPS does limit the abuse potential in those cases. You seem to be thinking of a public computer, like what you find in a library.
Maybe, but we're not talking about encryption by default (à la HTTPS-Everywhere). Rather, we're talking about deprecating plain HTTP, which IMO is not a good idea. Lose the human readability of a data stream and you'll lose not just the ability to tamper with the stream, but the ability to check what's going in and out of your LAN too.
Telnet and FTP are deprecated in favour of secure counterparts, why not HTTP as well? You lose the ability to tamper with streams you don't initiate, but that doesn't mean you'll suddenly lose the ability to interact with HTTP outside of browsers. You can use other tools [superuser.com] to initiate and interact with SSL connections the same way you can telnet to port 80 and manually interact with HTTP.
As for the LAN diagnostic argument, the benefits of non-encryption don't outweigh the disadvantages, in my opinion. Even with universal encryption, you can still see what host and port is responsible for suspicious or excess traffic and, if needed, use physical access to the hardware to determine what's going on. Netstat to find what process is responsible, maybe poke around memory to find out what the program is doing.
You don't need deep packet inspection, nor does anybody else; it's just privacy invasion for the sake of convenience. Attitudes like that are why we need universal encryption at all.
(Score: 2, Interesting) by skater on Wednesday April 15 2015, @12:01PM
I run a few little websites that don't have encryption, because they really don't need it. The busiest site is a phpBB forum for owners of a certain brand of recreational vehicle/campervan. It would cost me an extra $10/month to add an SSL server to my account on my hosting provider - not huge money, but I already spend $200/year hosting the sites, out of my own pocket. Plus, there's the cost of the certs themselves. I have no advertising, no paid subscriptions, no donations, nothing to earn back that money, and I don't mind; it's a hobby, not a business. In fact, if I started receiving money for it, I might cause issues with my actual job; so it's best to keep it free. To me, it's how the internet was supposed to work, and I'm glad I'm keeping that concept alive in my tiny corner.
If you think of the "big" sites on the internet like news websites, Amazon, etc., then, yes, SSL encryption of all pages is only a small incremental additional cost for them, because they already have SSL installed for various reasons. For me, it's a relatively large additional expense, at least another third, with little reward that I can see. And with users who often aren't technically savvy, if they have Firefox, they'd go to the website, see it's not working, and assume the problem is on my end... sigh.
(Score: 3, Interesting) by tempest on Wednesday April 15 2015, @01:18PM
Like you I have a hobby site that I make no money from. It's a VPS so I have TLS enabled, but I self sign certificates. Those who want to visit and accept the certificate can (mostly for my own uses). But opportunistic encryption offers a nice middle ground, where a http connection redirects queries to https, but does not require that connection be verified. I wouldn't' be surprised if this becomes an option on shared hosting sites over time, but I think it's unlikely anyone will force it.
I'm still waiting to see if LetsEncrypt pans out, but that got me thinking why I can't just get basic certificate verification for free.
I own the damn domain name, shouldn't my domain registrar be able to give me a cert based on that?
(Score: 1) by skater on Wednesday April 15 2015, @03:05PM
Unfortunately, self-signed certs generate all kinds of scary warnings in today's browsers, too. Again, the browsers seem to be written with Amazon/CNN/etc. in mind, and not with mom and pop hobby website. There should be a focus on the security for the former sites, of course, but let's not forget the latter in the rush to be 'safe'...
(Score: 2) by tempest on Wednesday April 15 2015, @03:28PM
If connecting via https on port 443. But as I said with opportunistic encryption there are no warnings because the cert isn't verified.
(Score: 2) by urza9814 on Wednesday April 15 2015, @03:26PM
Gandi.net can, and they'll give you a cert for the first year for free ($15/year after that).
(Score: 0) by Anonymous Coward on Wednesday April 15 2015, @10:05PM
Until Let's Encrypt exists, you can use StartSSL [wikipedia.org] for free certificates. It takes a few minutes instead of a few seconds to get a certificate, but it's free for non-commercial use.
(Score: 0) by Anonymous Coward on Wednesday April 15 2015, @01:54PM
your hosting provider sucks and if you've got people logging in, it should be done over tls.
(Score: 2) by urza9814 on Wednesday April 15 2015, @03:24PM
A forum is a great example of something which *really* ought to be encrypted. Sure, maybe the posts on the forums aren't that important, but what about protecting the users? What about the guy who's using the same password for your forum as he is for his email? You are transmitting his password in plaintext and he probably assumes it's secure. If he's using public wifi then congratulations -- your lax security just got one of your users hacked. And they don't even know how.
It shouldn't cost $10/month to add SSL. I've got SSL on two websites right now and I haven't paid a dime for it. You can probably get a year free from your domain registrar or web host; if not there's StartSSL, there's self-signed certs, and there will soon be Let's Encrypt. Or you could just pay for the cert -- if your host/registrar wants $10/*month* for that, you need to find a new one. Should be $15/year at most. Try Gandi.net maybe. And it shouldn't take more than a few minutes to get the cert installed and configured. SSL isn't just for major corporations; it's cheaper than the cheapest web hosting, and it's just as easy to get configured.
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @02:44AM
The whole point of https everywhere in a post-Snowden world is so MitM can't snoop on your browsing habits. When was the last time you visited a news site that didn't have ads injected? Damn kids...
(Score: 1, Insightful) by Anonymous Coward on Thursday April 16 2015, @03:16AM
Even worse, it breaks caching.
A friend helped setup a squid farm for an entire nation's Internet traffic in Africa, since they only had a satellite link. If they are still on that setup, this breaks the Internet for all of Rawanda.
And, even first world CDNs. So, you want to give a third party a valid certificate for your domain?!!!! It is the only way to get this to work.
Even as broken as the trust model is, SSL provides protection against passive sniffing, but I don't think that is enough to justify breaking the Internet. If we are going to break the Internet, we should do better than encryption that any corrupt government like the US, China, UK, Russia, etc. or corrupt Corporation with access to a trusted rootCA cert / intermediateCA cert can circumvent if they can MiM you.