Phoronix reports the Mozilla Security Engineering team is planning to make their browser useless for browsing much of the World Wide Web, by deprecating insecure HTTP.
Richard Barnes of Mozilla writes:
In order to encourage web developers to move from HTTP to HTTPS, I would like to propose establishing a deprecation plan for HTTP without security. Broadly speaking, this plan would entail limiting new features to secure contexts, followed by gradually removing legacy features from insecure contexts. Having an overall program for HTTP deprecation makes a clear statement to the web community that the time for plaintext is over -- it tells the world that the new web uses HTTPS, so if you want to use new things, you need to provide security.
See also this document outlining the initial plans.
(Score: 2) by urza9814 on Wednesday April 15 2015, @06:42PM
If you don't want them to be rejected, install them onto the local system so they are trusted. That is the only secure option. Making the browser blindly accept self-signed certs doesn't just affect sites using self-signed certs; it makes every single website highly susceptible to MITM attacks. It defeats the entire purpose of having SSL. I don't want my bank becoming insecure just so you can pretend your personal website isn't.
You can get certs for free. Mozilla is working with the EFF and others to make this even easier with LetsEncrypt.org. I have two personal websites which use SSL right now. I actually am not really using either of them yet, I just enabled SSL because it seemed like a good idea. It didn't cost me a single cent to do so, and only took about thirty minutes of my time. Get a free cert, drop the certs on the server, and change five or ten lines of the apache config. I've got two domains, two SSL certs, and six virtual servers all for $30/year so far. You could pay for that by picking bottles up off the sidewalk.
CAs that don't properly validate the certs they're issuing tend to get removed from browsers. Look at what happened recently with CNNIC. They were caught issuing crappy certs, and Mozilla (and others) removed them as a CA because of it.
Correct. But Mozilla is working not only to require that encryption, but also to provide that encryption and to verify that encryption. And they aren't the only ones doing so. They've been working to push implementation of properly secured connections for a while already, and this shows that they intend to continue doing so for years to come.
It seems like Mozilla has already thought of and solved all these problems. I'm not entirely sure about their UI team, but the rest of them do seem to know what they're doing. :)