Slashdot Mirror
Mozilla Begins To Move Towards HTTPS-Only Web
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
More wildcard certs for me to buy.
If my website just serves up public data that I don't care about the government seeing, you're going to disable new features on it anyway? Seems a bit extreme.
== Jez ==
Do you miss Firefox? Try Pale Moon.
First, you introduce "features" like https://bugzilla.mozilla.org/show_bug.cgi?id=435013 and then you want to block the rest of pages the mighty Mozilla Security Council does not approve?? Get stuffed.
When I hear that Mozilla is removing http
No more http://slashdot.org?
So where does that leave home users who use self encrypted certificates ? These are currently untrusted and I'm not paying a big chunk of money for the little server I run my friends and I use to collaborate.
phase out non-secure HTTP to prefer HTTPS instead
The "non-secure" describes the "more-secure HTTPS" also, because the ""less-secure HTTP" did not become "secure" just because an "S" -and some other things...- was added.
Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.
So Mozilla you do not want me to use your browser? You are going to cripple your browser for your perceived 'better' agenda.
This HTTP website is best viewed with...
IE >= 11
Chrome >= 42
Firefox <= 37
A lot of content out there is benign, or crackable - what you want to make sure of is that you're connecting to the site you intended, and that the content you're getting is what's intended. What the content actually IS (cat memes) can be less important.
Two years after snowdens revelations we're seeing a reality come to pass. After the NSA swept its most damning indictments under the rug, after congress gave a sigh and a shrug and stifled a syrupy belch from the afternoons filet mignon lunch, we still see this change. After the TV spotlights were turned back to fashion trends, civil unrest, diet pills and other nonesuch this persisted despite the best effort. and its extremely unfortunate
Instead of watching discourse spread and meaningful legislation come to pass we're watching a largely uninformed electorate occasionally mistake snowden for assange on national television, and the elected officials with whom our protection they are charged bungle through bills that dont really do much of anything. We're seeing the alternative that no nation wants, and that alternative is a two-tier us-versus-them system in which groups of dedicated hackers fight back. It sets the stage for good-versus-bad and the determinant for this assertion to eventually become the existence of crypto or passwords and ones general willingness to divulge them in the face of overwhelming yet unconstitutional authoritarian presence.
expect 3 letter government organizations to get frustrated, and angry, very quickly. Aaron Schwartz was a prime example of how, in the future, citizens who act to protect themselves with crypto and security will face the bureaucratic version of biblical retribution in the form of endless charges, indefinite espionage, and a litany of convictable offenses that would result in a lifetime of imprisonment for anyone who dares not to divulge their password.
Good people go to bed earlier.
Oh, wait, I would get popcorn, but the UK blocked popcorn. Piracy apparently. Who knew?
There's still no opportunistic encryption in HTTPS. Does that mean I'm going to have to buy a TLS certificate for my printer every year?
we're conflating encryption with identity.
By requiring HTTPS, you are not just requiring encryption, but identity proof as well. Why don't we tone down the whole "SELF SIGNED CERTS ARE EVIL" messages that all the browsers keep telling users. That way we can promote encryption.
Nothing really gets removed when there is extensions.. I already have one that adds Gopher, one for HTTP wont take too long.
Not likely....they'd probably just add Firefox to their "unsupported browsers" list....now, if EVERY browser did this, that's another story...
I fully support this proposal. In addition to APIs, I'd like to propose prohibiting caching any resources loaded over insecure HTTP, regardless of Cache-Control header, in Phase 2.N. The reasons are:
1) MITM can pollute users' HTTP cache, by modifying some JavaScript files with a long time cache control max-age.
2) It won't break any websites, just some performance penalty for them.
3) Many website operators and users avoid using HTTPS, since they believe HTTPS is much slower than plaintext HTTP. After deprecating HTTP cache, this argument will be more wrong.
I'm sure the users will appreciate the extra traffic!
I can see 1 being a thing, but 2 is a penalty for the end-user on metered connections, and 3 is an argument for "Mozilla is much slower than [insert browser here]".
Mozilla used to be the Savior of the Web. But after these last few years, I fear they've lost that role.
The UI changes to Firefox were totally unwanted, and have pretty much killed it as a product. Its share of the market keeps dropping and dropping. When we look at global web browser usage stats like these, we see that Firefox is now maybe 10% of the market, if even that. Chrome for Android alone, Chrome 41 alone and Chrome 40 alone each have about the same or more users than all versions of Firefox. Heck, even IE 11 alone and Safari have about the same number of users these days.
Mozilla has also engaged in numerous other half-arsed efforts, like Firefox OS and Persona, that nobody wants. Every review I've seen of Firefox OS has been negative. Nobody likes it, and nobody wants it, even the third-worlders they've had to resort to targeting it to. With Android, iOS, and so many other alternatives that are so much better, why the heck would anyone sensible use Firefox OS? The only reason to use it is to try to conform with some weird fringe ideology that worships HTML5/JS/CSS above all else, even above usable, working applications.
Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages. It would be considered unacceptable if a homosexual was forced out of a job for supporting same-sex marriage, and it should be considered just as unacceptable if a heterosexual was forced out of a job for not supporting same-sex marriage. This is no place for hypocrisy or double standards.
Now there's this shit that will cause headaches and problems for so many Web users.
We need a new organization to save us, and the Web, from Mozilla. We need an organization that will put out a usable browser. We need an organization that focuses on doing what's right, and what the Web community wants, rather than what it wants. We need an organization that will listen and respect its users, rather than trampling on them and ignoring their pleas. We need a new Savior, and we need it now.
My bank still insists on using RC4 ciphers and TLS 1.
You should find another bank.
I bet more money on your bank then telling you to use Internet Explorer, than actually doing anything to change their weak cypher.
The bank's response: who needs Firefox, our site works great in IE6!
A false sense of security is worse than no security. On an http site you know anyone could be viewing and tampering with your data. Deal with it. On a plain https site your best bet is to assume the same.
.now, if EVERY browser did this, that's another story..
Well, I've put in a similar request with Chrome.
I hope they give a setting choice similar to:
* Block all non-HTTPS sites
* Prompt on all non-HTTPS sites (view/no-view confirmation, perhaps with a "remember choice for this site" option.)
* Automatically allow all non-HTTPS sites, with a yellow warning bar and disabling of JavaScript.
* Automatically allow all non-HTTPS sites, with a yellow warning bar.
* Automatically allow all non-HTTPS sites, withOUT a warning bar.
(There may be a way to simplify this by putting some of the questions in the warning bar.)
Mozilla has gotten brazen lately about forcing questionable changes on users in the name of progress (per their view of "progress"). This includes forced tabs*, goofy search bar "split" (eventually fixed), and disabling "back" on POST forms (instead of prompting). They gave very round-about and fishy reasons for all 3 of these.
* Fortunately somebody created a "Hide tab bar for 1 tab" addon. Thank You, Fixers!
Table-ized A.I.
Unintended Affordances
(or why I believe encrypting everything is a bad idea) is worth a read on this.
I am not sure I agree on every point, but it's well thought out post.
HTTP needs to be phased out, but that doesn't mean everything needs to be encrypted. A lot of sites serve static content thats not a secret to anyone. Even in an encrypted stream, the contents of static files isn't really a secret. What you don't want is some man in the middle intercepting your request for some static file and responding with something malicious like the Great Cannon.
If static content were signed with the server's cert, its authenticity could be verified more cheaply than with HTTPS. This would also leave open the possibility for network cacheing, which benefits hosts, ISPs, and reduces traffic on the entire route. You'd want the content signing to cover the HTTP headers, and probably require an "expires" header.
With this approach, you could red flag all HTTP traffic as insecure, and signed traffic could be shown as normal.
Trying to mix content is more of a problem. It may be possible to securely deliver HTTPS dynamic content mixed with just-signed static content, but that'd probably get screwed up too often to leave that option open.
Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.
Instead, throw out the dire warnings when the self-signed certificates aren't correct, such as when it changes.
Either that, or they put up a notice saying "You are using an incompatible browser. Please update to Internet Explorer 6".
What about the fucking ipv6+ipsec deal?
That's what this is plain and simple. They are leveraging their power to affect unrelated change by force.
Doesn't matter what you think about the cause.. ends still don't justify means.
Security (ignoring for a moment endless stream of browser vulnerabilities placing users in harms way) is orthogonal to browser features for the simple and obvious reason organized criminals and stalkers (e.g. multi-billion dollar market intelligence firms) can obtain certificates just as easily as you or I. Just because a site is secure does NOT mean users have any reason to trust it... all cross domain policy needs to be able to withstand this reality.
They seem to be conflating some issues here. There is nothing at all about https that guarantees security. (There is some argument to be made about it keeping credentials secure, but that is really still just keeping them private). Security tends to be more about the content and whether it is serving some malware attacking flash, java, the odd browser exploit, etc. So what would https everywhere have to do with that? Will advertisers immediately start screening their content better so they aren't serving you exploits? No. They will just whine about the extra cost to them of using https and then lay off a couple of the screeners to make up for the difference.
HTTPS is all well and good, but the certificate situation is just a mess. Currently, essentially any CA can issue a certificate for any website anywhere. That means that every time you surf, you are placing your trust in literally hundreds of CAs.
Meanwhile, self-signed certificates bring up horrendous warnings, or are simply refused. The chance of verifying a self-signed certificate (for example, getting the fingerprint via another channel) are a lot better than the chance of verifying that some random CA hasn't been bribed or pressured.
Can we please fix this mess, along the way to making HTTPS standard?
Enjoy life! This is not a dress rehearsal.
Wireshark is a useful debugging tool. The ability to snap off encryption to analyze things at the wire is a lifesaver.
That said, if I'm debugging something a browser is doing, the developer console is usually better anyway. There remains the case where you are trying to debug a tester's experience without access to their browser, but the scenarios where that is true *and* it would be a good idea to disable TLS are limited. Being able to disable encryption is more important for clients that aren't so developer-enabled.
XML is like violence. If it doesn't solve the problem, use more.
That is what this is about. Mozilla no longer wants individuals to be allowed to run web servers. They're allowing only large corporations with large budgets that can afford to buy all of these "keys" to run web sites. They hate us and want us to have no voice. As always, people that want to commit genocide always take the voice of their victims away before killing them. That is what all of the dictators do before they start the killing. Mozilla is assisting in that. They want us to die.
While TLS *could* be secure, I've been in too many discussions where it is assumed to be the only way to be secure and that it is secure in spite of the current state of CAs and the practical behavior of internal servers with respect to certificates.
There really needs to be more critical discussion along this front, as I see quite reasonable security strategies that fare well in the *real* world torn up and replaced with TLS because of an idealized view of how it could be implemented.
XML is like violence. If it doesn't solve the problem, use more.
Doesn't that depend on the configuration and purpose? If the HTTP server's running on my own machine and the URL is "http://localhost/...", am I automatically insecure because I can't get an SSL certificate for "localhost"? And how would an attacker not already on my machine exploit this?
If I can't test the full capabilities of a Web site because the browser won't let me, I'm going to have to switch browsers and relegate Firefox to testing-only just like IE is currently.
There are still plenty of clients out there that support neither SNI nor IP6, so the implication of everyone going to SSL is that everyone needs a static IP4 address. That sounds unsustainable to me.
It would be nice if they focused on fixing the certificate authority structure by supporting DANE, using DNS records to indicate certificates. Even though there is plenty of interest at https://bugzilla.mozilla.org/s... , Mozilla doesn't seem interested in solving this problem:
https://bugzilla.mozilla.org/s...
Thanks, Mozilla, for yet another reason to stop using Firefox.
So sad, but so very true.
Can't upgrade since it causes me to be locked out of the Windows domains at work if I go to 37.
[John]
Shit better not happen!
Small ARM chips can run HTTPS just fine for the handful of connections they need. It's not that heavyweight.
Here's some more of opensource removing or censoring those opposed to social justice:
http://whatwillweuse.com/fodder/terrorware/
http://esr.ibiblio.org/?p=1310
Removed story URL: http://www.phoronix.com/scan.php?page=news_item&px=ChaosEsqueAnthology-Rel-51
http://www.phoronix.com/forums/showthread.php?115776-Xonotic-Forked-ChaosEsqueAnthology-Sees-New-Release/page2
"Fortunately, the article has been removed now."
"Thanks everybody for speaking up."
https://webcache.googleusercontent.com/search?q=cache:JeCIgSFrBlgJ:http://www.phoronix.com/scan.php?page%3Dnews_item%26px%3DChaosEsqueAnthology-Rel-51%2Bchaosesque&gbv=1&tbs=qdr:w&hl=en&&ct=clnk
It is the opensource way.
Also we must use systemd, because anti-systemders are mysoginist:
etbe.coker.com.au/2015/04/26/anti-systemd-people/
Code is not what matters. What you think in your head is what matters or what you are.
If you're a woman just being a woman is a great contribution to opensouce/free software.
If you're a non cuckolded male then no contribution is enough to be considered a contirbutor.
Remeber: opensource people would prefer wrong-thinkers be locked up in an insane asylum.
How many of those will I see when trying to browse the web every day? Then there is the 3 second wait before approving it. I hope this is better thought out than that dialog window.
My bank still insists on using RC4 ciphers and TLS 1.
If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.
What bank is this? There's nothing wrong with public shaming in cases like this, in fact it does the world a service.
Also, you should seriously consider switching banks. Your post prompted me to check the banks I use. One is great, one is okay. I'll watch the okay one.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
My bank still insists on using RC4 ciphers and TLS 1.
If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.
As others have pointed out, they might claim that the latest Firefox was defective and encourage users to stay at an old version or switch browsers "until it is fixed". Once such decisions are written into policy, front line workers unwittingly protect the decision makers from having to find out that they were wrong. They will simple 'teach' the users one-by-one to 'fix the problem' by installing a different browser.
It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous. It could start with a subtle change in the lock icon, then a mild click through warning, then a warning with a scary graphic and phrases such as "proceed at your own risk".
The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it. This makes it instantly a "a well-known security flaw in our website" rather than a "known problem with a version of Firefox used by two customers".
At that point they can either fix their website or block Firefox. But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.
Um, you write: "[CA] could issue a bogus certificate in your name whether you work with them or not" and also "Your CA being in the US isn't a risk".
That's kind of a contradiction. Ok, so where my CA is located isn't the issue, but given "National Security Letters" and all, I'd say allowing any CA in the US to issue certificates is a risk, at least for non-US domains.
Enjoy life! This is not a dress rehearsal.
With multiple sites I am responsible for this is highly annoying and expensive. Especially when I have to keep updating certs because of vulnerabilities found in encryption methods.
Cut the fingers of your attackers off one by one. Film it.
You should find another bank.
Yep. There are plenty of banks to choose from that - whatever their other flaws - at least take security seriously. If your bank can't or won't lock down their website, then you already know that they're negligent in at least one area. What else are they neglecting?
Dewey, what part of this looks like authorities should be involved?
If you look you will find that pretty much every bank has RC4 as their top cipher in the list. This is due to the fact that, while relatively weak, there are no known attacks against the cipher itself (other than brute force).
My eyes reflect the stars and a smile lights up my face.
Last time I tried, https didn't work. Kinda surprised me.
Insists on using RC4, or still accepts it? SSL negotiation involves the server having a list of available ciphers, of which RC4 is often one for backwards compatibility, but not one in a preferred position on that list. The session shouldn't devolve into RC4 unless it's the only thing the browser knows. It won't be the only cipher on the bank's list, though.
You're saying that his right to be an asshole trumps my right to ditch his products and protest him being as asshole.
Now that's hypocrisy.
no it won't. they'll just dust off their "made for internet explorer" badges from a decade ago.
this is NOT YOUR JOB!
your job is to produce secure, open source software that runs on a variety of platforms; not to TELL US how to develop our company or personal web sites (the internationally recognized standards bodies do that). fact is, MOST web sites DO NOT NEED TO BE SECURE because they don't NEED to transmit any personal data.
I'll watch the okay one.
Uh, if you're not watching them both, I hate to say it, but you're a fool.
There are far easier ways to do nefarious things to someone's account than fucking about with an online banking portal. Shop at Target or Home Depot lately?
How does the bank manage to get away with it considering current PCI DSS requirements? Who is criminally signing off on that?
They will also stop supporting IPV4 by the end of the year. This will obviously force the entire Internet to finally embrace IPV6.
It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous.
You mean like the unending stream of "security policy violation" messages that some sites trigger by, IIRC, mixing https and http content? The popups that come so fast that you can't get rid of one and stop loading the page before the next one comes up? And then you need to try to get through a dozen of them before doing anything else, except killing one causes two more to pop up?
That kind of "hardly noticeable"? Firefix has a history of not dealing with "security policy" warnings intelligently.
The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it.
That's the kind of action that causes websites to stop supporting browsers. If a specific browser prevents the user from accessing a website, then the business will ultimately react, but it can't do it by just waving a magic wand. Their support will be telling people that the browser is no longer supported -- because that's the truth.
At that point they can either fix their website or block Firefox.
They won't have to block firefox, firefox will be blocking itself.
But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.
Haha haha. Most people won't understand why, and most people won't care. They'll use a browser that works, and since that browser can deal with it, it will be firefox that's broken.
Yeah, what kind of admin knows how to run a packet sniffer but can't spend 30 seconds figuring out how to decrypt it with Wireshark or whatever?
Oh, and just to add onto that: you can export the session keys with Wireshark as well. So no, you do NOT have to send your private key to your vendors when analyzing network problems. You send the session keys that are only good for decrypting that session over, rather than your private key, which must remain private.
But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.
Haha haha. Most people won't understand why, and most people won't care.
And then there will be people like me: who understand why, and still don't care. If Firefox stops working with web sites I need to go to, I'll just stop using Firefox. I'm already a long way there: there is an increasing number of websites that Firefox doesn't work well with, and so I have to use a different browser for them.
Yes, the browser wars are on their way back.
One thing I've learned about watching the exchange on this news across the web is that there's a shit ton of outdated server software running around.
Your keys are extracted from RAM and sent over 3g to your adversary (the SJWs working for the government who look down on anything men would like), your desktop is snooped on, thanks to Intel Active Management Technology / vPro / VT built into your chipset.
The police break down your door and arrest you.
You are placed in prison for the rest of your life.
You are raped by a homosexual every day.
The good christian and sjw people of america cheer. /pol/ also agrees.
You pray that there is a nuclear war to wipe away this civilization. There isn't.
You have fantasys of simply having a cute young girl as a bride. These fantasys fade as you are continully raped by a "respectable" faggot.
Men in afghanistan continue to torture and kill feminists. They torture and kill anyone associated with feminism. They continue to marry little girls and have sexual relations with them. They are not in prison. They are not being fucked in the ass.
America continues on for another 1000 years dominating every other country, or something similar to it doing so.
You are tossed into an unmarked grave after 60 years of homosexual rape and misery. They wouldn't even allow you to commit suicide. Many other men live as you do. God does nothing. Males are powerless
If you look you will find that pretty much every bank has RC4 as their top cipher in the list.
Having RC4 as the "top cipher in the list" is very different from having RC4 as the *only* cipher in the list.
As it is now, you are not notified of security issues when you have no security whatsoever. HTTP sites should be given a dire, red warning because they represent the least secure position online. An SSL site with an expired certificate is far more desirable than an HTTP website.
Green should represent proper SSL certificates, as it does now.
But there's one more problem with SSL/HTTPS sites that nobody talks about: the fake SSL certificate. Your browser *probably* trust a multitude of SSL certificate vendors, and *any* of them can issue a certificate for *any* domain.
So there are literally hundreds of SSL certificate vendors that could issue a cert for google.com or whatever, and you wouldn't know. If the NSA offered a bit of $$ to a commonly trusted (but otherwise unheard of) certificate vendor to issue a few certificates to be used discreetly....
See the problem?
If I go to Thawte or RapidSSL to get a cert, I should have the ability to publish my vendor of choice, and nobody else's certificates should be considered trustworthy. Similarly, I should be able to publish revoked certificates the same way.
Why hasn't this already been done?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It seems Mozilla wants to move away from http, but here are some use cases they will be breaking:
I have a slow and expensive Internet connection used by a few people on a few different devices, I use a proxy-cache to improve page load times and reduce network traffic.
I am a parent, and while I try to be present whenever the kids use the internet, I run a proxy-filter (e.g. DansGuardian) to prevent them from stumbling across less suitable sites.
I am a service provider, and I use a transparent proxy to cache large files downloaded from international sites. This saves me about 10% of my running costs.
I am a service provider provoding internet access with high input costs, in order to provide reasonably-priced services I have quota-based products. In order to be friendly to my customers and avoid them incurring over-use charges, I inject JS notifications at various thresholds. With only HTTPS, I will just have to wait until they are over quota and then block all HTTPS traffic and hope I can redirect some HTTP traffic to a page informing them that they are over quota.
I am a security engineer for my company, for various reasons we need to be able to inspect http traffic (prevent users from visiting malicious sites, enforce productivity controls etc.).
Sure, there are technical means around some of these challenges (e.g. devices that ship with/use CA certs and dynamically generate SSL certs to MITM the traffic), but this initiative is just going to increase costs for everyone.
And who will benefit? Well, most of the main sponsors of Let's encrypt. Cisco will be selling you more network equipment that can MITM SSL, Akamai will get more business as ISPs will not be able to cache on their own and content owners will have to pay Akamai instead.
Maybe some affected parties will start blocking Firefox (or block ssl upgrade checks), or some service providers may start charging Firefox users more.
I am a supporter of open source and have used Firefox as my primary browser since before the 1.0 release, but some of the supposed security braindeadness has made life more difficult, and this is just another example, and may be the one that forces me to change to a web browser, instead of an HTTPS-only browser.
With all this hassle for updating the web recently, including the permanent surveilance by Facebook/WhatCrap/Whatever, the Snowden leaks and the NSA/BND disasters and the broaded discussion about encrypting services it's becoming more and more evident that we need a complete bottom-up redo of all popular services on the internet.
The most pressing and obvious is E-Mail, which, by any standard imanginable is about the worst protocol and service still in widespread use. But before that can happen properly, there's another thing that should be redone befor everything else: DNS.
DNS needs to be abstracted away from the carriers and core services into something based on cryptographic signature. It should be possible for me to buy a domain for life simply by purchasing a slip or paper or a piece of code containing a register key to which I can tie a domain that is still free for choosing. Moving to a different provider with my domain or hosting it on my own small VM should be a matter of minutes.
Next up would be E-Mail. Zero-fuss end-to-end encryption and cpu-expensive hashing to make mass-mail expensive and spamming virtually impossible. Setting up a mailserver should be as easy as setting up a mail client today. In fact, it should be much of a difference wetther I'm setting up a client or a server - one of the big problems with E-Mail today.
Next up would be the Web. Let's face the facts: The Web today is a pile of junk. It's only thanks to Netscape freeing its browser (Mozilla) and Goolgle buying V8 and fighting for a free (beer) web that benefits their business that we have a half-way feasible free web. Flash - and I'm sorry to break this to the /. crowd - was lightyears ahead of everything else on the client-based web. CSS3 / HTML5 and JS are a joke in comparsion. Clients are strange hacks with arcane technologies strapped together with glue and duct-tape, doing insane stunts and feats to build rich clients. The entire service could use a complete redo for design/UX, documents and programming. Javascript is neat and fun, but I can think of a few PLs that would do a better job, be easyer to use and perhaps even easyer to compile into binary.
Moving the Web into https is all fine and dandy - it's using FOSS technology and open standards - which is always the main big plus - but yet again it's only a dirty hack compared to what would be possible if we would base a rebuilt web-like service on what is technologically possible today.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
really https is not the holy Grail and does not make a site more secure. should be used only to tasks where you actually want privacy.There are thousand things https is nor useful or needed at all.eg.this post . it's a stupid measure
This could not go wrong, really (or could it!?).
This is a bad move and will force people away from using Mozilla because it will mean a Joe Citizen wanting to have a website will need to purchase SSL certificates - at significantly greater cost than the hosting cost of the web host that supplies the web hosting capability.
I understand the rationale, but very bad move!
Ha! The NSA has orders of magnitude more computing power and brain power than any comparable organization. These sort of piddling half-measures are a win for them because they represent significant obstacles to rival organizations without posing any challenge to the NSA. Classified cryptography research has always been decades ahead of the publicly available state of the art. Why should things be any different now?
Firefox has already done this. Since Firefox 37 the default preference does not allow fall back to TLS 1.0 or 1.1. So if your bank's website is not using TLS 1.2 then you will not be able to connect to it. There is no user friendly UI to change the setting, but you can change the fall back setting using the about:config mechanism. Check the release notes here - https://www.mozilla.org/en-US/... Also SSL labs has already planned to give low grade to websites using RC4 over next few months - https://community.qualys.com/b... You can check the status of your baks security infrastructure with ssl labs scanning tool and complain about it in bank support forum - https://www.ssllabs.com/ssltes... The client I worked for has same problem with some websites and hence started getting calls from customers. Thankfully they have quickly recognised the potential loss of business and are working on upgrading the infrastructure.