Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Begins To Move Towards HTTPS-Only Web

Posted by Soulskill on from the driving-web-privacy dept.

jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.

5 of 324 comments (clear)

  1. Re:Wait a minute... by LordLimecat · · Score: 5, Informative

    Not sure if you've been watching the news, but China has been using Baidu effectively as a botnet because they are able to intercept and modify javascript sent via HTTP.

    Stops a lot of threats, even if you're just a hobbyist; it ensures that an attacker cant just intercept your hobby page and drop a bunch of exploit kits on it.

  2. Re:Excellent. by kthreadd · · Score: 4, Informative

    More wildcard certs for me to buy.

    If Let's Encrypt takes off, and it's fairly likely to do so given the sponsors they have (including Mozilla), you won't have to buy any certs at all. They will just be there automatically.

  3. Re:What about servers run from home ? by jmv · · Score: 4, Informative

    I suspect that Let's encrypt is related to that issue.

    --
    Opus: the Swiss army knife of audio codec
  4. no DNSSEC+DANE certficate validation by ftobin · · Score: 4, Informative

    It would be nice if they focused on fixing the certificate authority structure by supporting DANE, using DNS records to indicate certificates. Even though there is plenty of interest at https://bugzilla.mozilla.org/s... , Mozilla doesn't seem interested in solving this problem:
    https://bugzilla.mozilla.org/s...

  5. Re: Excellent. by RLaager · · Score: 4, Informative

    A CA never has your private key. You generate it locally and it is never sent to them.