Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Begins To Move Towards HTTPS-Only Web

Posted by Soulskill on from the driving-web-privacy dept.

jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.

5 of 324 comments (clear)

  1. F**** you, Mozilla! by Anonymous Coward · · Score: 2, Interesting

    First, you introduce "features" like https://bugzilla.mozilla.org/show_bug.cgi?id=435013 and then you want to block the rest of pages the mighty Mozilla Security Council does not approve?? Get stuffed.

  2. Also, stop supporting sites with poor encryption by QuietLagoon · · Score: 3, Interesting
    My bank still insists on using RC4 ciphers and TLS 1.

    If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.

  3. Re:Wait a minute... by Todd+Knarr · · Score: 4, Interesting

    The problem is that requiring HTTPS doesn't make sites more secure. It prevents an attacker who can't obtain a legitimate SSL certificate for the domain from running a mid-transit MITM attack, nothing more. The biggest problems seem to be a) phishing attacks that convince the user to visit a rogue site eliminating the need for MITM, b) local system compromises (client- or server-side) that have access to the cleartext traffic and don't need an MITM, and c) rogue CAs who issue certificates for domains the recipient isn't authorized for which allows for mid-transit MITM with HTTPS. The first two can't be mitigated by anything other than smarter users (HAH!), and mitigating the third requires massive changes to certificates so it's possible to determine whether a certificate belongs to a given site without depending on anything in the certificate and without depending on the CA having validated the recipient.

  4. Re:Yes, but.. by LDAPMAN · · Score: 3, Interesting

    If you have the private key, packet sniffing works fine.

  5. Re:Self-signed by Strider- · · Score: 3, Interesting

    Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.

    It's gets worse. Chrome throws the dire warnings on self-signed SSL certificates, and then refuses to do the username/password autofill on those pages. I've basically ditched using chrome for most of my network admin stuff that goes over https, because of this.

    --
    ...si hoc legere nimium eruditionis habes...