Mozilla Begins To Move Towards HTTPS-Only Web

jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.

Excellent.

More wildcard certs for me to buy.

Re: Excellent.

[amxcoder]

Actually this. I'm in the same boat, with my own domain on shared hosting. I'm not going to shell out money to a third party for a cert that really isn't needed for a website that just gives info about me and my business.

On another note, I program embedded control systems for a living, and often am incorporating automation to reach out and either pull out scrape data from web servers for different reasons (to diplay weather or energyvusage stats) or control home security monitors etc. These embedded platforms dont have the encryption frameworks for them to access most https sites. Meaning to do the simple thing like scraping info from a https page requires delving into encryption protocols, rolling your own encryption implementations and having it run on a platform that is less powerful than a typical phone. It all started when all email servers went to https and then trying to get an automation system to send a status or alert email turned into a major PITA. Now the whole web is going to be like that. I love how in the dawn of IoT, that everyone assumes that all these microprocessors are going to be running standard full fleged web frameworks and all the goodies that goes with them, including encryption, XML, JSON, Restful and other frameworks that are common on on your big 5 OSes, but not so common in the land of proprietary OSes running on embedded platforms.

BTW, I program AMX and Crestron automation systems if anyone was wondering what platforms Im specifically referring to, but there are others as well.

Wait a minute...

[jez9999]

If my website just serves up public data that I don't care about the government seeing, you're going to disable new features on it anyway? Seems a bit extreme.

Re:Wait a minute...

[jez9999]

What about development though? You want to go through the PITA of setting up HTTPS for every development site? This also stops you using Wireshark for seeing what data is actually being transmitted.

this. exactly this.

[nimbius]

Two years after snowdens revelations we're seeing a reality come to pass. After the NSA swept its most damning indictments under the rug, after congress gave a sigh and a shrug and stifled a syrupy belch from the afternoons filet mignon lunch, we still see this change. After the TV spotlights were turned back to fashion trends, civil unrest, diet pills and other nonesuch this persisted despite the best effort. and its extremely unfortunate

Instead of watching discourse spread and meaningful legislation come to pass we're watching a largely uninformed electorate occasionally mistake snowden for assange on national television, and the elected officials with whom our protection they are charged bungle through bills that dont really do much of anything. We're seeing the alternative that no nation wants, and that alternative is a two-tier us-versus-them system in which groups of dedicated hackers fight back. It sets the stage for good-versus-bad and the determinant for this assertion to eventually become the existence of crypto or passwords and ones general willingness to divulge them in the face of overwhelming yet unconstitutional authoritarian presence.

expect 3 letter government organizations to get frustrated, and angry, very quickly. Aaron Schwartz was a prime example of how, in the future, citizens who act to protect themselves with crypto and security will face the bureaucratic version of biblical retribution in the form of endless charges, indefinite espionage, and a litany of convictable offenses that would result in a lifetime of imprisonment for anyone who dares not to divulge their password.

SAVE US AND THE WEB FROM MOZILLA!

Mozilla used to be the Savior of the Web. But after these last few years, I fear they've lost that role.

The UI changes to Firefox were totally unwanted, and have pretty much killed it as a product. Its share of the market keeps dropping and dropping. When we look at global web browser usage stats like these, we see that Firefox is now maybe 10% of the market, if even that. Chrome for Android alone, Chrome 41 alone and Chrome 40 alone each have about the same or more users than all versions of Firefox. Heck, even IE 11 alone and Safari have about the same number of users these days.

Mozilla has also engaged in numerous other half-arsed efforts, like Firefox OS and Persona, that nobody wants. Every review I've seen of Firefox OS has been negative. Nobody likes it, and nobody wants it, even the third-worlders they've had to resort to targeting it to. With Android, iOS, and so many other alternatives that are so much better, why the heck would anyone sensible use Firefox OS? The only reason to use it is to try to conform with some weird fringe ideology that worships HTML5/JS/CSS above all else, even above usable, working applications.

Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages. It would be considered unacceptable if a homosexual was forced out of a job for supporting same-sex marriage, and it should be considered just as unacceptable if a heterosexual was forced out of a job for not supporting same-sex marriage. This is no place for hypocrisy or double standards.

Now there's this shit that will cause headaches and problems for so many Web users.

We need a new organization to save us, and the Web, from Mozilla. We need an organization that will put out a usable browser. We need an organization that focuses on doing what's right, and what the Web community wants, rather than what it wants. We need an organization that will listen and respect its users, rather than trampling on them and ignoring their pleas. We need a new Savior, and we need it now.

Re:SAVE US AND THE WEB FROM MOZILLA!

[Grishnakh]

Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages.

Bullshit.

When you're the CEO of a company, your personal beliefs are no longer your own; anything you do in public reflects on that company. You are in effect the company's face and public image. So if the company's board of directors doesn't like the image you're conveying of the company, they are entirely within their rights to fire you and hire someone else.

Simpletons like you don't seem to understand that being a CEO is not a normal job where you come to work, punch a time clock, do what you're told, and collect a paycheck and go home to live your private life. When you're CEO, you have no private life. Just look at Steve Jobs when he was alive: he was well-known, famous, he was Apple. Everything he did represented that company. Not only does the CEO direct the company and make all the big decisions, he also serves as the public face of the company.

Granted, Mozilla isn't as big or prominent a company as Apple Computer, but it's still fairly well-known, as countless people do use their browser (or have in the past). If they thought that Eich was making their company look bad, they had a very good reason to replace him.

Are you going to try to argue that if Coca-Cola hires some celebrity to do some ads for them, and that celebrity gets caught on camera spouting a bunch of racist stuff like Mel Gibson, that they shouldn't fire him, and that they should continue showing ads showing this now-controversial personality and thus completely ruin their public image?

Re:SAVE US AND THE WEB FROM MOZILLA!

[Lennie]

When he did what he did he wasn't the CEO, it was years before that and the law said he had to mention his employers name when he donates.

If it wasn't the law I pretty sure he wouldn't have even mentioned Mozilla it would just be him donating money.

Choice, not force.

[Tablizer]

I hope they give a setting choice similar to:

* Block all non-HTTPS sites
* Prompt on all non-HTTPS sites (view/no-view confirmation, perhaps with a "remember choice for this site" option.)
* Automatically allow all non-HTTPS sites, with a yellow warning bar and disabling of JavaScript.
* Automatically allow all non-HTTPS sites, with a yellow warning bar.
* Automatically allow all non-HTTPS sites, withOUT a warning bar.

(There may be a way to simplify this by putting some of the questions in the warning bar.)

Mozilla has gotten brazen lately about forcing questionable changes on users in the name of progress (per their view of "progress"). This includes forced tabs*, goofy search bar "split" (eventually fixed), and disabling "back" on POST forms (instead of prompting). They gave very round-about and fishy reasons for all 3 of these.

* Fortunately somebody created a "Hide tab bar for 1 tab" addon. Thank You, Fixers!

Authenticity, but not always secrecy

HTTP needs to be phased out, but that doesn't mean everything needs to be encrypted. A lot of sites serve static content thats not a secret to anyone. Even in an encrypted stream, the contents of static files isn't really a secret. What you don't want is some man in the middle intercepting your request for some static file and responding with something malicious like the Great Cannon.

If static content were signed with the server's cert, its authenticity could be verified more cheaply than with HTTPS. This would also leave open the possibility for network cacheing, which benefits hosts, ISPs, and reduces traffic on the entire route. You'd want the content signing to cover the HTTP headers, and probably require an "expires" header.

With this approach, you could red flag all HTTP traffic as insecure, and signed traffic could be shown as normal.

Trying to mix content is more of a problem. It may be possible to securely deliver HTTPS dynamic content mixed with just-signed static content, but that'd probably get screwed up too often to leave that option open.

Self-signed

[Dwedit]

Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.

Instead, throw out the dire warnings when the self-signed certificates aren't correct, such as when it changes.

Can we please fix certificates and CAs first?

[bradley13]

HTTPS is all well and good, but the certificate situation is just a mess. Currently, essentially any CA can issue a certificate for any website anywhere. That means that every time you surf, you are placing your trust in literally hundreds of CAs.

Meanwhile, self-signed certificates bring up horrendous warnings, or are simply refused. The chance of verifying a self-signed certificate (for example, getting the fingerprint via another channel) are a lot better than the chance of verifying that some random CA hasn't been bribed or pressured.

Can we please fix this mess, along the way to making HTTPS standard?

Re:Also, stop supporting sites with poor encryptio

[david672orford]

My bank still insists on using RC4 ciphers and TLS 1.

If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.

As others have pointed out, they might claim that the latest Firefox was defective and encourage users to stay at an old version or switch browsers "until it is fixed". Once such decisions are written into policy, front line workers unwittingly protect the decision makers from having to find out that they were wrong. They will simple 'teach' the users one-by-one to 'fix the problem' by installing a different browser.

It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous. It could start with a subtle change in the lock icon, then a mild click through warning, then a warning with a scary graphic and phrases such as "proceed at your own risk".

The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it. This makes it instantly a "a well-known security flaw in our website" rather than a "known problem with a version of Firefox used by two customers".

At that point they can either fix their website or block Firefox. But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.

Re:Sooo...

[PvtVoid]

Car analogy time: Mozilla wants everyone to use paved roads so car drivers can see hazards more effectively.

Continued car analogy: Mozilla, to this end, builds a car that shuts down when you try to drive it on a dirt road. Why would anybody want to buy a car that did that?