We've previously covered Mozilla considering a push to deprecate HTTP in favor of HTTPS. Well, it looks like the time is here. This HTTPS encrypted blogpost by Mozilla starts with
Today we are announcing our intent to phase out non-secure HTTP.
There's pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.
[...] There are two broad elements of this plan:
- Setting a date after which all new features will be available only to secure websites
- Gradually phasing out access to browser features for non-secure websites, especially
features that pose risks to users' security and privacy.[...] For example, one definition of "new" could be "features that cannot be polyfilled". That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.
[More after the break]
This unencrypted blogpost raises good points against the move:In conclusion; no, TLS certificates are not really free. Introducing forced TLS would create an imbalance between those who have the money and means to purchase a certificate (or potentially many certificates), and those who don't - all the while promoting a cryptosystem as being 'secure' when there are known problems with it. This is directly counter to an open web.
There are plenty of problems with TLS that need to be fixed before pressuring people to use it. Let's start with that first.
Other links: Hacker News thread on the Mozilla post, Hacker news thread for the rebuttal. The comment threads are interesting. Here's one excerpt from the second link:
There's one solution that the author didn't cover: Start treating self-signed certs as unencrypted. Then, deprecate http support over a multi-year phase out. That way, website owners who want to keep their status quo, can just add a self signed cert and their users will be none the wiser.
For https there are two major objectives. 1) Prevent MITM attacks. 2) Prevent snooping from passive monitoring. Self-signed certs can prevent #2, which the IETF has adopted as a Best Current Practice. I'm much more in favor of trying to at least do one of the two objectives of https, rather than refusing to do anything until we are able to do both objectives.
One other major argument against ridding ourselves of HTTP is pure performance, encryption is expensive, and why burn that power encrypting things that have no need to be encrypted.
The enforcing of HTTPS is something that has provoked discussion here in the past. Go crazy!
(Score: 2) by coolgopher on Wednesday May 06 2015, @07:24AM
No, the CA only signs your Certificate Signing Request (CSR) data, which includes the public key, not the private one. Of course, some (many?) CAs provide convenience generation where they prepare both your keys and CSR for you, though the better ones do it purely in JavaScript in your browser, so the private key never reaches their servers.
The bigger issue is that they can happily provide another certificate for your domain to government agency of choice, allowing them to impersonate you with impunity. This is the part that needs a proper solution. Perhaps DNSSEC is part of that, I honestly don't know. It needs to be fixed though, as the current hierarchical model has been shown time and time again to not provide much trust at all. Wasn't it just last month that one of the larger Chinese CAs got caught out?
(Score: 3, Informative) by FatPhil on Wednesday May 06 2015, @01:48PM
Yes. At the time, I was thinking "wasn't it only recently that it happened to ... too?" and did a little bit of hunting. To my shock, there had been about half a dozen incidents between the one I remembered and the current one. (I looked at the MS security update for the china one - it came bundled with the other recent fixes, just so you didn't miss them.) Shockingly, between china and the one I remember had been *2* Comodo incidents, IIRC. (I think they were the first big-name fuck-up years back.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves