Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla: HTTPS is Coming. Get Out of the Way!

posted by CoolHand on Tuesday May 05 2015, @11:36PM   Printer-friendly
from the genius-or-lunacy dept.

kadal writes:

We've previously covered Mozilla considering a push to deprecate HTTP in favor of HTTPS. Well, it looks like the time is here. This HTTPS encrypted blogpost by Mozilla starts with

Today we are announcing our intent to phase out non-secure HTTP.

There's pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

[...] There are two broad elements of this plan:

  • Setting a date after which all new features will be available only to secure websites
  • Gradually phasing out access to browser features for non-secure websites, especially
    features that pose risks to users' security and privacy.

[...] For example, one definition of "new" could be "features that cannot be polyfilled". That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.

[More after the break]

This unencrypted blogpost raises good points against the move:

In conclusion; no, TLS certificates are not really free. Introducing forced TLS would create an imbalance between those who have the money and means to purchase a certificate (or potentially many certificates), and those who don't - all the while promoting a cryptosystem as being 'secure' when there are known problems with it. This is directly counter to an open web.

There are plenty of problems with TLS that need to be fixed before pressuring people to use it. Let's start with that first.

Other links: Hacker News thread on the Mozilla post, Hacker news thread for the rebuttal. The comment threads are interesting. Here's one excerpt from the second link:

There's one solution that the author didn't cover: Start treating self-signed certs as unencrypted. Then, deprecate http support over a multi-year phase out. That way, website owners who want to keep their status quo, can just add a self signed cert and their users will be none the wiser.
For https there are two major objectives. 1) Prevent MITM attacks. 2) Prevent snooping from passive monitoring. Self-signed certs can prevent #2, which the IETF has adopted as a Best Current Practice. I'm much more in favor of trying to at least do one of the two objectives of https, rather than refusing to do anything until we are able to do both objectives.

One other major argument against ridding ourselves of HTTP is pure performance, encryption is expensive, and why burn that power encrypting things that have no need to be encrypted.

The enforcing of HTTPS is something that has provoked discussion here in the past. Go crazy!

 
This discussion has been archived. No new comments can be posted.
Mozilla: HTTPS is Coming. Get Out of the Way! | Log In/Create an Account | Top | 67 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 06 2015, @12:41AM

    by Anonymous Coward on Wednesday May 06 2015, @12:41AM (#179314)

    HTTP is good business based internal standard. With WAAS compressing the data stream of redundant information, Firefox will be dropped like a hot potato.

    OR...

    Does SSL have hole? So that traffic just looks encrypted from users point of view, but is fully readable? Otherwise how will business filter out p0rn, g4ambling sites and the rest plus recover bandwidth???

    OR...

    Can I create cert that is all 0x00 like the older XOR "encryption"??? So it is encrypted with nothing?
    ===========
    Staring at my belly button.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 0) by Anonymous Coward on Wednesday May 06 2015, @04:33AM

    by Anonymous Coward on Wednesday May 06 2015, @04:33AM (#179389)

    Does SSL have hole?

    I am betting on this explanation.

    Or maybe they also want to kill off independent providers who do not have access to https, or will not be "sold" certificates based on their affiliation to certain groups, people, ideologies. Or at least they want to put doubt in people's minds about http being like HIV and should be avoided.

    Sure, http is not safe from MITM attacks, but what if in an emergency you decide to setup a website and people cannot reach it because their browser won't let them. Or if you use a self-signed certificate and the browser throws errors and won't let the viewer see the website. Small problems like these.

    • (Score: 2, Interesting) by Anonymous Coward on Wednesday May 06 2015, @06:58AM

      by Anonymous Coward on Wednesday May 06 2015, @06:58AM (#179412)

      my version is that google somehow uses SSL keys to track sessions. No evidence, but the push to "encrypt" everything with keys someone else has is suspicious to say the least.