Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Wednesday April 15 2015, @04:52AM   Printer-friendly
from the it's-the-end-of-the-web-as-we-know-it-and-i-feel-fine dept.

Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.

Richard Barnes of Mozilla writes:

In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.

See also this document outlining the initial plans.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by urza9814 on Wednesday April 15 2015, @06:42PM

    by urza9814 (3954) on Wednesday April 15 2015, @06:42PM (#171120) Journal

    The problem is there is the push to reject self-signed certificates.

    If you don't want them to be rejected, install them onto the local system so they are trusted. That is the only secure option. Making the browser blindly accept self-signed certs doesn't just affect sites using self-signed certs; it makes every single website highly susceptible to MITM attacks. It defeats the entire purpose of having SSL. I don't want my bank becoming insecure just so you can pretend your personal website isn't.

    Forcing https on the masses will increase the costs for anyone to run a server on the web and put too much control in CAs.

    You can get certs for free. Mozilla is working with the EFF and others to make this even easier with LetsEncrypt.org. I have two personal websites which use SSL right now. I actually am not really using either of them yet, I just enabled SSL because it seemed like a good idea. It didn't cost me a single cent to do so, and only took about thirty minutes of my time. Get a free cert, drop the certs on the server, and change five or ten lines of the apache config. I've got two domains, two SSL certs, and six virtual servers all for $30/year so far. You could pay for that by picking bottles up off the sidewalk.

    There is also the likely side effect of making things more insecure as certificate issuers may become less rigourous, creating a false sense of trust.

    CAs that don't properly validate the certs they're issuing tend to get removed from browsers. Look at what happened recently with CNNIC. They were caught issuing crappy certs, and Mozilla (and others) removed them as a CA because of it.

    The use of encryption does not mean things are more secure.

    Correct. But Mozilla is working not only to require that encryption, but also to provide that encryption and to verify that encryption. And they aren't the only ones doing so. They've been working to push implementation of properly secured connections for a while already, and this shows that they intend to continue doing so for years to come.

    It seems like Mozilla has already thought of and solved all these problems. I'm not entirely sure about their UI team, but the rest of them do seem to know what they're doing. :)

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2