SoylentNews is people
SoylentNews
from the it's-the-end-of-the-web-as-we-know-it-and-i-feel-fine dept.
Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.
Richard Barnes of Mozilla writes:
In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.
See also this document outlining the initial plans.
(Score: 0) by Anonymous Coward on Wednesday April 15 2015, @07:34AM
Before we saw what the NSA was doing, before Google announced that it would penalize sites for not using HTTPS, and recently, China injecting DDoS code into HTTP traffic, websites only supported HTTPS if they needed to. One for those reasons is that without SNI, certificates are only good for a specific address and port number.
Because we like using standardized port numbers on the open Internet, and SNI support is poor for older web browsers and devices (smart phones, tablets, eReaders, etc.), you have to buy another IP address for each domain and subdomain. These cost anywhere from $1 to $5 per month for good reason. They are not plentiful. So the majority of domains share the IP address with dozens of other domains. Only 1 of that set can be configured for HTTPS (without SNI).
Consider how many domains there are on the Internet. Consider how few of them currently support HTTPS. Consider that this difference requires IPv4 addresses for each domain and subdomain to properly support older browsers and devices. Even for domains that support HTTPS, not all of their subdomains support HTTPS. There are not enough IPv4 addresses to put every domain name, including subdomains if you do not use expensive wildcard certificates, on its own IPv4 address.
Maybe Mozilla plans is to put this requirement far enough into the future where non-SNI devices do not exist or need to browse the web anymore. But at that time, IPv6 will be widely deployed, and you are more likely to have replaced your obsolete IPv4-only WiFi router with an IPv6 capable one for the 802.11ac, 802.11n, or whatever, and if you have not already done that, it might be preferable to do than throwing away older non-SNI devices, which may have locked DRM content still exclusively on them.