Slashdot Mirror
Mozilla Begins To Move Towards HTTPS-Only Web
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
Not sure if you've been watching the news, but China has been using Baidu effectively as a botnet because they are able to intercept and modify javascript sent via HTTP.
Stops a lot of threats, even if you're just a hobbyist; it ensures that an attacker cant just intercept your hobby page and drop a bunch of exploit kits on it.
More wildcard certs for me to buy.
If Let's Encrypt takes off, and it's fairly likely to do so given the sponsors they have (including Mozilla), you won't have to buy any certs at all. They will just be there automatically.
I suspect that Let's encrypt is related to that issue.
Opus: the Swiss army knife of audio codec
A lot of content out there is benign, or crackable - what you want to make sure of is that you're connecting to the site you intended, and that the content you're getting is what's intended. What the content actually IS (cat memes) can be less important.
Does Chrome have anything like Firebug?
Oh my yes!! I quit using Firefox for Javascript development because the Chrome developer tools are so much better than Firebug. I didn't think that anyone could improve on Firebug, but I was quite pleasantly surprised.
It would be nice if they focused on fixing the certificate authority structure by supporting DANE, using DNS records to indicate certificates. Even though there is plenty of interest at https://bugzilla.mozilla.org/s... , Mozilla doesn't seem interested in solving this problem:
https://bugzilla.mozilla.org/s...
Thanks, Mozilla, for yet another reason to stop using Firefox.
A CA never has your private key. You generate it locally and it is never sent to them.
I do worry about the downsides of this in terms of how it'll cause higher load on servers because of higher traffic. That said, all major CDNs support HTTPS on the edges and non-HTTPS between the origin and the CDN, so they'll be fine. Where this will probably hurt more is with forward proxies at universities and businesses and transparent intermediate caches at ISPs.
Also, for those of us operating network connections to remote locations, everything https is absolutely destructive to the network performance. Right now, our WAAS setup gives us about a 30% boost on the satellite connection, mostly through low level de-duplication and compression. When you have 50+ people depending on a 1.8Mbps satellite connection, every bit counts. Enabling https for things that don't need it is a huge performance penalty.
Basically, the people making these decisions assume that everyone has an unlimited, fast internet pipe. This is simply not the case.
...si hoc legere nimium eruditionis habes...