We've previously covered Mozilla considering a push to deprecate HTTP in favor of HTTPS. Well, it looks like the time is here. This HTTPS encrypted blogpost by Mozilla starts with
Today we are announcing our intent to phase out non-secure HTTP.
There's pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.
[...] There are two broad elements of this plan:
- Setting a date after which all new features will be available only to secure websites
- Gradually phasing out access to browser features for non-secure websites, especially
features that pose risks to users' security and privacy.[...] For example, one definition of "new" could be "features that cannot be polyfilled". That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.
[More after the break]
This unencrypted blogpost raises good points against the move:In conclusion; no, TLS certificates are not really free. Introducing forced TLS would create an imbalance between those who have the money and means to purchase a certificate (or potentially many certificates), and those who don't - all the while promoting a cryptosystem as being 'secure' when there are known problems with it. This is directly counter to an open web.
There are plenty of problems with TLS that need to be fixed before pressuring people to use it. Let's start with that first.
Other links: Hacker News thread on the Mozilla post, Hacker news thread for the rebuttal. The comment threads are interesting. Here's one excerpt from the second link:
There's one solution that the author didn't cover: Start treating self-signed certs as unencrypted. Then, deprecate http support over a multi-year phase out. That way, website owners who want to keep their status quo, can just add a self signed cert and their users will be none the wiser.
For https there are two major objectives. 1) Prevent MITM attacks. 2) Prevent snooping from passive monitoring. Self-signed certs can prevent #2, which the IETF has adopted as a Best Current Practice. I'm much more in favor of trying to at least do one of the two objectives of https, rather than refusing to do anything until we are able to do both objectives.
One other major argument against ridding ourselves of HTTP is pure performance, encryption is expensive, and why burn that power encrypting things that have no need to be encrypted.
The enforcing of HTTPS is something that has provoked discussion here in the past. Go crazy!
(Score: 3, Insightful) by Mr Big in the Pants on Wednesday May 06 2015, @12:43AM
I wonder this also.
While I appreciate their bravery, without a consensus or majority this will kill them off for sure which I doubt they will be able to justify.
It brings to mind that scene in movies where the geeky person turns to his friends and shouts "who's with me!?" and no one follows...so they quickly shut up and fall back in line.
I predict either this happening unless one of other the major players joining them.
(Score: 0) by Anonymous Coward on Wednesday May 06 2015, @12:48AM
Here in the real world, everyone agrees to follow, but no one follows. Because in reality, everyone is a liar.
(Score: 3, Funny) by looorg on Wednesday May 06 2015, @12:52AM
I'm sure all your Facebook- and Twitter friends will like and retweet it ... That is almost as good isn't it?
(Score: 2) by Mr Big in the Pants on Wednesday May 06 2015, @02:09AM
Oh they follow, it is just meaningless.
I mean how many people read all the tweets on their feeds?
If you follow someone on twitter but never bother to read the tweets what exactly does that mean apart from a number on a webpage?
(Score: 2) by frojack on Wednesday May 06 2015, @01:07AM
I predict either this happening unless one of other the major players joining them.
I don't discount that possibility. I could easily see Microsoft or Google jumping on this bandwagon.
I doubt the increased computer cycles for encryption are significant.
Maybe Mozilla and/or the Domain Registrars should be forced to hand them out certificates for free.
Deep down, I suspect this is not about spying or privacy at all, but rather about control, and Mozilla are being useful tools here.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by juggs on Wednesday May 06 2015, @02:36AM
I think the EFF has the cost aspect covered with their Let's Encrypt effort https://letsencrypt.org/ [letsencrypt.org] - hopefully they can get their root CA included in OS and browser cert hives.
It's not live yet, but theoretically it seems no less valid than the current "basic" certs we see pushed out based on access to a particular email address @domain or some DNS record change / addition that the current CAs use for validation.
There is still the trust issue of course. If you are a Firefox user try Edit > Preferences > Advanced (tab) > Certificates (tab) > View Certificates (button) > Authorities (Tab) - that's a very long list of of certificate authorities to implicitly trust, particularly when you consider that those entities not only issue certificates they can also issue intermediary CA status to other organisations who in turn issue certificates.
(Score: 2, Informative) by ncc74656 on Wednesday May 06 2015, @02:14PM
Free certificates are already available. I've gotten mine from StartSSL [startssl.com]. They cover one subdomain each (so I need separate certificates for webmail.alfter.us and ttrss.alfter.us, for instance), but you can request as many as you want AFAICT. Google turns up a few other options [google.com].