Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.
Richard Barnes of Mozilla writes:
In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.
See also this document outlining the initial plans.
(Score: 2, Insightful) by anubi on Wednesday April 15 2015, @06:37AM
I have quite a few extremely simple embedded processors that have nowhere near the horsepower to encrypt. Its asking a lot of them just to serve up a simple HTTP page.
Think modem and printer setup over the network.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Wednesday April 15 2015, @08:03AM
You could probably install a web server on your computer that simply requests the page from your embedded hardware, wraps it in HTTPS and serves it to your browser.
Of course you also could just use another browser. I bet that's the path 99.9% of all people would choose.
OTOH, thinking about it, the web browser you use for surfing the web not being able to reconfigure your router probably adds security, since a malicious web site (or XSS) cannot simply disable your firewall that way.
(Score: 1) by anubi on Wednesday April 15 2015, @08:53AM
Interesting your concept of a https wrapping proxy server. Oughta work.
I currently have a lot of "toys" that use local ( 10.xxx.xxx.xxx and 162.168.xxx.xxx) addresses. These addresses do not route.
Most of my little Arduino and the like uses these addresses, serving up simple web pages, transferring files, and sending messages to each other.
One of the benefits of building the thing is that I get to assign any port I want along with what's in the payloads ( often just a C++ structure ).
However, for anything intended for "the big iron", I usually wrap it up in HTTP so I can see it on the browser instead of cryptically telnetting into the thing. There are a lot of tricks so a nice looking graphical interface does not cost that much more than an arcane text-only interface, and being HTTP is so standard, why not?
Even then, for my own stuff, I almost always send status displays over as http, but often accept commands via telnet. as the commands are short and sweet and I just want minimal overhead. like "$ST70" sent will set the temperature to 70.
Sure, I want HTTPS when I am dealing with money or critical infrastructure at a distance. I would just as soon keep the little thingie that tells me if the roast is done simple and on a local unroutable address. If I am going to instruct my air conditioner to turn on over the net, I would just as soon tell my PC about it over a secure link, then have the PC proxy the command over the local unroutable address to the little Arduino that turns the thermostat up or down.
What I am trying to say is I find the old protocols quite useful for simple stuff.
I am seeing stuff rapidly becoming so complex that its becoming quite difficult to "roll your own" interface, and it seems like its getting so everything I do on my own machine is going to have to be licensed , meaning I have to always be getting permission from someone else to do anything. That can get expensive!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by urza9814 on Wednesday April 15 2015, @03:11PM
Well, as others have pointed out, this is being phased in over time so it will likely be years before you're forced to change anything.
But if you wanted to, I'd suggest you do what I do -- spend $50 and an hour of your time to set up Apache on a Raspberry Pi and proxy everything through there. It's low power, it's open, it doesn't tie up your laptop, and it'll let you secure your stuff enough that you *could* make it available from the internet should you ever want to. You can get the SSL certs for free, or just use self-signed.
I imagine by the time this is actually enforced on every website you'll be able to bake SSL certs into an Arduino sketch...
(Score: 2) by lentilla on Wednesday April 15 2015, @08:58PM
From the summary:
this plan would entail limiting new features to secure contexts
My reading is that your embedded devices will continue to work perfectly. You just won't be able to use snazzy new CSS features or HTML6. If your device doesn't have the power to serve HTTPS, it is unlikely to need advanced functionality that hasn't been invented yet.