Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Begins To Move Towards HTTPS-Only Web

Posted by Soulskill on from the driving-web-privacy dept.

jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.

49 of 324 comments (clear)

  1. Excellent. by Anonymous Coward · · Score: 5, Insightful

    More wildcard certs for me to buy.

    1. Re:Excellent. by kthreadd · · Score: 4, Informative

      More wildcard certs for me to buy.

      If Let's Encrypt takes off, and it's fairly likely to do so given the sponsors they have (including Mozilla), you won't have to buy any certs at all. They will just be there automatically.

    2. Re: Excellent. by kthreadd · · Score: 2

      They plan to offer a tool that does exactly that but absolutely don't have to use it. The plan is to have an API and nothing stops you from using that instead of the automation.

    3. Re: Excellent. by RLaager · · Score: 4, Informative

      A CA never has your private key. You generate it locally and it is never sent to them.

    4. Re:Excellent. by kthreadd · · Score: 2

      Not the same thing, wildcard helps in cases where multiple subdomains are being served by one server with only a single ip address. Since Let's Encrypt is currenly discussing wildcards, and its not looking good for them to actually support them, this would require servers to have an ip address per domain. If a server has more than 2 domains it is server, its COMPLETELY unreasonable.

      It's not necessary to have an IP address per cert anymore since every browser has support for SNI nowadays.

    5. Re: Excellent. by amxcoder · · Score: 3, Insightful

      Actually this. I'm in the same boat, with my own domain on shared hosting. I'm not going to shell out money to a third party for a cert that really isn't needed for a website that just gives info about me and my business.

      On another note, I program embedded control systems for a living, and often am incorporating automation to reach out and either pull out scrape data from web servers for different reasons (to diplay weather or energyvusage stats) or control home security monitors etc. These embedded platforms dont have the encryption frameworks for them to access most https sites. Meaning to do the simple thing like scraping info from a https page requires delving into encryption protocols, rolling your own encryption implementations and having it run on a platform that is less powerful than a typical phone. It all started when all email servers went to https and then trying to get an automation system to send a status or alert email turned into a major PITA. Now the whole web is going to be like that. I love how in the dawn of IoT, that everyone assumes that all these microprocessors are going to be running standard full fleged web frameworks and all the goodies that goes with them, including encryption, XML, JSON, Restful and other frameworks that are common on on your big 5 OSes, but not so common in the land of proprietary OSes running on embedded platforms.

      BTW, I program AMX and Crestron automation systems if anyone was wondering what platforms Im specifically referring to, but there are others as well.

  2. Wait a minute... by jez9999 · · Score: 4, Insightful

    If my website just serves up public data that I don't care about the government seeing, you're going to disable new features on it anyway? Seems a bit extreme.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:Wait a minute... by LordLimecat · · Score: 5, Informative

      Not sure if you've been watching the news, but China has been using Baidu effectively as a botnet because they are able to intercept and modify javascript sent via HTTP.

      Stops a lot of threats, even if you're just a hobbyist; it ensures that an attacker cant just intercept your hobby page and drop a bunch of exploit kits on it.

    2. Re:Wait a minute... by kthreadd · · Score: 2

      If my website just serves up public data that I don't care about the government seeing, you're going to disable new features on it anyway? Seems a bit extreme.

      TLS can actually be used without encryption, the data is transfered in clear but you still get the authentication; which is actually something you want even if the data itself isn't secret.

    3. Re:Wait a minute... by markhb · · Score: 2

      Do you have an English reference for the Baidu comment (I'm not doubting, just want to see the details)?

      --
      Save Maine's economy: write stuff down. All comments are exclusively my own, not my employer.
    4. Re:Wait a minute... by mothlos · · Score: 2

      Secure protects against a whole class of man-in-the-middle attacks which allow third parties to inject malicious code into non-sensitive communications.

      More importantly, however, requiring security of everyone makes secure sites more secure. The big problem is that security notifications for users don't work. It is simply too difficult and error-prone to notify users of important security problems while also ignoring unimportant ones. False negatives put users at risk and false positives train users to ignore warnings. This problem would largely disappear if security were the overwhelming expectation and the folks who can address this are the people running the servers.

    5. Re:Wait a minute... by bigfinger76 · · Score: 2

      This also stops you using Wireshark for seeing what data is actually being transmitted.

      Is that not the point of HTTPS?

    6. Re:Wait a minute... by Ken+D · · Score: 2

      From what I read on the "Technology" link for Let's Encrypt their proposal will not work for all the very many HTTP servers that are not publicly accessible. In order to prove you own the web site they have to be able to access it. That's just not going to happen.

    7. Re:Wait a minute... by Todd+Knarr · · Score: 4, Interesting

      The problem is that requiring HTTPS doesn't make sites more secure. It prevents an attacker who can't obtain a legitimate SSL certificate for the domain from running a mid-transit MITM attack, nothing more. The biggest problems seem to be a) phishing attacks that convince the user to visit a rogue site eliminating the need for MITM, b) local system compromises (client- or server-side) that have access to the cleartext traffic and don't need an MITM, and c) rogue CAs who issue certificates for domains the recipient isn't authorized for which allows for mid-transit MITM with HTTPS. The first two can't be mitigated by anything other than smarter users (HAH!), and mitigating the third requires massive changes to certificates so it's possible to determine whether a certificate belongs to a given site without depending on anything in the certificate and without depending on the CA having validated the recipient.

    8. Re:Wait a minute... by swillden · · Score: 2

      http://googleonlinesecurity.bl...

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. F**** you, Mozilla! by Anonymous Coward · · Score: 2, Interesting

    First, you introduce "features" like https://bugzilla.mozilla.org/show_bug.cgi?id=435013 and then you want to block the rest of pages the mighty Mozilla Security Council does not approve?? Get stuffed.

    1. Re:F**** you, Mozilla! by Anonymous Coward · · Score: 3, Informative

      Does Chrome have anything like Firebug?

      Oh my yes!! I quit using Firefox for Javascript development because the Chrome developer tools are so much better than Firebug. I didn't think that anyone could improve on Firebug, but I was quite pleasantly surprised.

  4. So.... by Continental+Drift · · Score: 4, Funny

    No more http://slashdot.org?

  5. Also, stop supporting sites with poor encryption by QuietLagoon · · Score: 3, Interesting
    My bank still insists on using RC4 ciphers and TLS 1.

    If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.

  6. Re:What about servers run from home ? by jmv · · Score: 4, Informative

    I suspect that Let's encrypt is related to that issue.

    --
    Opus: the Swiss army knife of audio codec
  7. Re:What about servers run from home ? by _xeno_ · · Score: 2

    Hell, where does that leave web developers who just want to test their website on a locally running copy?

    Am I going to be forced to set up an HTTPS server just to test new features? Can you at the very least turn this off so you can test things locally without having to self-sign a certificate and then explicitly trust that certificate?

    This is a ludicrously stupid idea from Mozilla.

    --
    You are in a maze of twisty little relative jumps, all alike.
  8. this. exactly this. by nimbius · · Score: 4, Insightful

    Two years after snowdens revelations we're seeing a reality come to pass. After the NSA swept its most damning indictments under the rug, after congress gave a sigh and a shrug and stifled a syrupy belch from the afternoons filet mignon lunch, we still see this change. After the TV spotlights were turned back to fashion trends, civil unrest, diet pills and other nonesuch this persisted despite the best effort. and its extremely unfortunate

    Instead of watching discourse spread and meaningful legislation come to pass we're watching a largely uninformed electorate occasionally mistake snowden for assange on national television, and the elected officials with whom our protection they are charged bungle through bills that dont really do much of anything. We're seeing the alternative that no nation wants, and that alternative is a two-tier us-versus-them system in which groups of dedicated hackers fight back. It sets the stage for good-versus-bad and the determinant for this assertion to eventually become the existence of crypto or passwords and ones general willingness to divulge them in the face of overwhelming yet unconstitutional authoritarian presence.

    expect 3 letter government organizations to get frustrated, and angry, very quickly. Aaron Schwartz was a prime example of how, in the future, citizens who act to protect themselves with crypto and security will face the bureaucratic version of biblical retribution in the form of endless charges, indefinite espionage, and a litany of convictable offenses that would result in a lifetime of imprisonment for anyone who dares not to divulge their password.

    --
    Good people go to bed earlier.
  9. Still no opportunistic encryption by klapaucjusz · · Score: 2

    There's still no opportunistic encryption in HTTPS. Does that mean I'm going to have to buy a TLS certificate for my printer every year?

  10. A gem from the discussion by kav2k · · Score: 2

    I fully support this proposal. In addition to APIs, I'd like to propose prohibiting caching any resources loaded over insecure HTTP, regardless of Cache-Control header, in Phase 2.N. The reasons are:
    1) MITM can pollute users' HTTP cache, by modifying some JavaScript files with a long time cache control max-age.
    2) It won't break any websites, just some performance penalty for them.
    3) Many website operators and users avoid using HTTPS, since they believe HTTPS is much slower than plaintext HTTP. After deprecating HTTP cache, this argument will be more wrong.

    I'm sure the users will appreciate the extra traffic!

    I can see 1 being a thing, but 2 is a penalty for the end-user on metered connections, and 3 is an argument for "Mozilla is much slower than [insert browser here]".

    1. Re:A gem from the discussion by Wycliffe · · Score: 2

      I think it's even worse than that. Are there ANY caching services, edgecast, or CDNs that support encryption?
      https is great when you need it but for static content like images it makes caching next to impossible as well
      as requires several times more servers to serve the same amount of traffic as an http server can serve over
      double the number of pages per second as a https server and that's without looking at all the traffic that is
      skipped with caching and CDNs.

    2. Re:A gem from the discussion by ThePhilips · · Score: 2

      I'm sure the users will appreciate the extra traffic!

      Only users??

      Most serious hosters still charge by traffic. The web-site owners too would appreciate the increased traffic and higher bill.

      --
      All hope abandon ye who enter here.
    3. Re:A gem from the discussion by dbrueck · · Score: 3, Informative

      I do worry about the downsides of this in terms of how it'll cause higher load on servers because of higher traffic. That said, all major CDNs support HTTPS on the edges and non-HTTPS between the origin and the CDN, so they'll be fine. Where this will probably hurt more is with forward proxies at universities and businesses and transparent intermediate caches at ISPs.

    4. Re:A gem from the discussion by Strider- · · Score: 3, Informative

      Also, for those of us operating network connections to remote locations, everything https is absolutely destructive to the network performance. Right now, our WAAS setup gives us about a 30% boost on the satellite connection, mostly through low level de-duplication and compression. When you have 50+ people depending on a 1.8Mbps satellite connection, every bit counts. Enabling https for things that don't need it is a huge performance penalty.

      Basically, the people making these decisions assume that everyone has an unlimited, fast internet pipe. This is simply not the case.

      --
      ...si hoc legere nimium eruditionis habes...
  11. SAVE US AND THE WEB FROM MOZILLA! by Anonymous Coward · · Score: 4, Insightful

    Mozilla used to be the Savior of the Web. But after these last few years, I fear they've lost that role.

    The UI changes to Firefox were totally unwanted, and have pretty much killed it as a product. Its share of the market keeps dropping and dropping. When we look at global web browser usage stats like these, we see that Firefox is now maybe 10% of the market, if even that. Chrome for Android alone, Chrome 41 alone and Chrome 40 alone each have about the same or more users than all versions of Firefox. Heck, even IE 11 alone and Safari have about the same number of users these days.

    Mozilla has also engaged in numerous other half-arsed efforts, like Firefox OS and Persona, that nobody wants. Every review I've seen of Firefox OS has been negative. Nobody likes it, and nobody wants it, even the third-worlders they've had to resort to targeting it to. With Android, iOS, and so many other alternatives that are so much better, why the heck would anyone sensible use Firefox OS? The only reason to use it is to try to conform with some weird fringe ideology that worships HTML5/JS/CSS above all else, even above usable, working applications.

    Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages. It would be considered unacceptable if a homosexual was forced out of a job for supporting same-sex marriage, and it should be considered just as unacceptable if a heterosexual was forced out of a job for not supporting same-sex marriage. This is no place for hypocrisy or double standards.

    Now there's this shit that will cause headaches and problems for so many Web users.

    We need a new organization to save us, and the Web, from Mozilla. We need an organization that will put out a usable browser. We need an organization that focuses on doing what's right, and what the Web community wants, rather than what it wants. We need an organization that will listen and respect its users, rather than trampling on them and ignoring their pleas. We need a new Savior, and we need it now.

    1. Re:SAVE US AND THE WEB FROM MOZILLA! by gfxguy · · Score: 2

      I agree... he did not lose his freedom of speech at all; freedom of speech != freedom from any and all ramifications. However, I think the point Anonymous Coward was making is that if it were reversed, and someone lost their job for supporting same sex marriage, you'd never hear the end of it.

      --
      Stupid sexy Flanders.
    2. Re:SAVE US AND THE WEB FROM MOZILLA! by Grishnakh · · Score: 3, Insightful

      Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages.

      Bullshit.

      When you're the CEO of a company, your personal beliefs are no longer your own; anything you do in public reflects on that company. You are in effect the company's face and public image. So if the company's board of directors doesn't like the image you're conveying of the company, they are entirely within their rights to fire you and hire someone else.

      Simpletons like you don't seem to understand that being a CEO is not a normal job where you come to work, punch a time clock, do what you're told, and collect a paycheck and go home to live your private life. When you're CEO, you have no private life. Just look at Steve Jobs when he was alive: he was well-known, famous, he was Apple. Everything he did represented that company. Not only does the CEO direct the company and make all the big decisions, he also serves as the public face of the company.

      Granted, Mozilla isn't as big or prominent a company as Apple Computer, but it's still fairly well-known, as countless people do use their browser (or have in the past). If they thought that Eich was making their company look bad, they had a very good reason to replace him.

      Are you going to try to argue that if Coca-Cola hires some celebrity to do some ads for them, and that celebrity gets caught on camera spouting a bunch of racist stuff like Mel Gibson, that they shouldn't fire him, and that they should continue showing ads showing this now-controversial personality and thus completely ruin their public image?

    3. Re:SAVE US AND THE WEB FROM MOZILLA! by Lennie · · Score: 4, Insightful

      When he did what he did he wasn't the CEO, it was years before that and the law said he had to mention his employers name when he donates.

      If it wasn't the law I pretty sure he wouldn't have even mentioned Mozilla it would just be him donating money.

      --
      New things are always on the horizon
    4. Re:SAVE US AND THE WEB FROM MOZILLA! by Goaway · · Score: 2

      However, I think the point Anonymous Coward was making is that if it were reversed, and someone lost their job for supporting same sex marriage, you'd never hear the end of it.

      First thing to remember is that this is not someone who lost their job, it's a boss being rejected by his employees. That is a very special and unusual kind of situation, where normal power relationships are inverted. You can't really say the person in question is being oppressed here.

      So if a company rejected their boss for agreeing with same-sex marriage, if the rest of the company was by and whole against it, I wouldn't be happy about it, but I would not claim they had done anything morally wrong (beyond to whatever extent I think holding such an opinion is morally wrong).

    5. Re: SAVE US AND THE WEB FROM MOZILLA! by hairyfeet · · Score: 2

      So you are against free markets? Thanks for clearing that up...FTFY

      Since you seem to have trouble grasping the two completely separate concepts allow old Hairy to elucidate....freedom of speech, a right protecting you from the government keeping you from speaking. Free markets, people are allowed to vote with their wallets and support or not companies....see the difference?

      Eich and Windows 8 are NOT examples of the former but the latter, in BOTH cases people said "I do not like this therefor I will not use your product and will encourage others to not use it too" and the companies saw their users drop like a rock and CHOSE as companies in a free market to change their direction to increase sales, MSFT by coming up with Windows 10, Mozilla by firing Eich. And yes Virginia the Mozilla move had everything to do with sales, Mozilla gets their money from search, no users using their browser? No revenue.

      So I find it hilarious that the right wing is all for the free markets when its crony capitalism, offshoring, or anything else that restricts or distorts the free market in their favor, but when its one of the most fundamental bedrocks of a free market, the RIGHT to vote with your wallet and CHOOSE which products you will support? Well we can't have that, now can we?

      THE FREE MARKET HAS SPOKEN, if the majority believed as you did? Their share would have gone UP, they would have seen this indicated in their usage numbers, and they would have kept Eich. Instead their numbers went DOWN, revenue was put at risk, and they chose to get rid of a CEO that frankly wasn't even bothering to do his job (two important roles for a CEO is press relations and damage control, and he refused to do either one) and wadda ya know their numbers stabilized.

      Voting with your wallet is one of the most important tenets of a free market, its how the consumers can influence direction even in large corporations, again see Windows 8 (which it looks like will never even reach much higher than Vista) and compare it to Windows 10, which is exactly what the users asked for. So when I see guys like you trying to say its "free speech" when the market doesn't go your way I have to ask....why do you hate capitalism and the free market?

      --
      ACs don't waste your time replying, your posts are never seen by me.
  12. Re: Not encryption, authorization by Anonymous Coward · · Score: 3, Informative

    This please. I work at a company that sends petabytes of encrypted video a day. Don't make us encrypt it twice, that's just a waste of everyone's time and money.

  13. Armin Ronacher's blog post by debrain · · Score: 2

    Unintended Affordances
    (or why I believe encrypting everything is a bad idea) is worth a read on this.

    I am not sure I agree on every point, but it's well thought out post.

  14. Authenticity, but not always secrecy by Anonymous Coward · · Score: 2, Insightful

    HTTP needs to be phased out, but that doesn't mean everything needs to be encrypted. A lot of sites serve static content thats not a secret to anyone. Even in an encrypted stream, the contents of static files isn't really a secret. What you don't want is some man in the middle intercepting your request for some static file and responding with something malicious like the Great Cannon.

    If static content were signed with the server's cert, its authenticity could be verified more cheaply than with HTTPS. This would also leave open the possibility for network cacheing, which benefits hosts, ISPs, and reduces traffic on the entire route. You'd want the content signing to cover the HTTP headers, and probably require an "expires" header.

    With this approach, you could red flag all HTTP traffic as insecure, and signed traffic could be shown as normal.

    Trying to mix content is more of a problem. It may be possible to securely deliver HTTPS dynamic content mixed with just-signed static content, but that'd probably get screwed up too often to leave that option open.

  15. Self-signed by Dwedit · · Score: 5, Insightful

    Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.

    Instead, throw out the dire warnings when the self-signed certificates aren't correct, such as when it changes.

    1. Re:Self-signed by Strider- · · Score: 3, Interesting

      Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.

      It's gets worse. Chrome throws the dire warnings on self-signed SSL certificates, and then refuses to do the username/password autofill on those pages. I've basically ditched using chrome for most of my network admin stuff that goes over https, because of this.

      --
      ...si hoc legere nimium eruditionis habes...
  16. Can we please fix certificates and CAs first? by bradley13 · · Score: 5, Insightful

    HTTPS is all well and good, but the certificate situation is just a mess. Currently, essentially any CA can issue a certificate for any website anywhere. That means that every time you surf, you are placing your trust in literally hundreds of CAs.

    Meanwhile, self-signed certificates bring up horrendous warnings, or are simply refused. The chance of verifying a self-signed certificate (for example, getting the fingerprint via another channel) are a lot better than the chance of verifying that some random CA hasn't been bribed or pressured.

    Can we please fix this mess, along the way to making HTTPS standard?

    --
    Enjoy life! This is not a dress rehearsal.
  17. Yes, but.. by Junta · · Score: 2

    Wireshark is a useful debugging tool. The ability to snap off encryption to analyze things at the wire is a lifesaver.

    That said, if I'm debugging something a browser is doing, the developer console is usually better anyway. There remains the case where you are trying to debug a tester's experience without access to their browser, but the scenarios where that is true *and* it would be a good idea to disable TLS are limited. Being able to disable encryption is more important for clients that aren't so developer-enabled.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Yes, but.. by LDAPMAN · · Score: 3, Interesting

      If you have the private key, packet sniffing works fine.

  18. no DNSSEC+DANE certficate validation by ftobin · · Score: 4, Informative

    It would be nice if they focused on fixing the certificate authority structure by supporting DANE, using DNS records to indicate certificates. Even though there is plenty of interest at https://bugzilla.mozilla.org/s... , Mozilla doesn't seem interested in solving this problem:
    https://bugzilla.mozilla.org/s...

  19. Yet another reason by JohnFen · · Score: 3, Informative

    Thanks, Mozilla, for yet another reason to stop using Firefox.

    1. Re:Yet another reason by PvtVoid · · Score: 2

      Thanks, Mozilla, for yet another reason to stop using Firefox.

      You'd think that they would take a hint from their declining usage, instead of doing crazier and crazier shit.

  20. Re:Sooo... by PvtVoid · · Score: 2

    You almost got the message correctly. The right message is no should ever develop for mozilla, or chrome, or internet explorer, or opera, or any other browser in particular. Developers should be able to develop using standards, and the browsers should correctly display content based on standards.

    So ... when did http cease to be a standard?

  21. Re:Also, stop supporting sites with poor encryptio by david672orford · · Score: 4, Insightful

    My bank still insists on using RC4 ciphers and TLS 1.

    If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.

    As others have pointed out, they might claim that the latest Firefox was defective and encourage users to stay at an old version or switch browsers "until it is fixed". Once such decisions are written into policy, front line workers unwittingly protect the decision makers from having to find out that they were wrong. They will simple 'teach' the users one-by-one to 'fix the problem' by installing a different browser.

    It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous. It could start with a subtle change in the lock icon, then a mild click through warning, then a warning with a scary graphic and phrases such as "proceed at your own risk".

    The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it. This makes it instantly a "a well-known security flaw in our website" rather than a "known problem with a version of Firefox used by two customers".

    At that point they can either fix their website or block Firefox. But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.

  22. Re:Sooo... by PvtVoid · · Score: 4, Insightful

    Car analogy time: Mozilla wants everyone to use paved roads so car drivers can see hazards more effectively.

    Continued car analogy: Mozilla, to this end, builds a car that shuts down when you try to drive it on a dirt road. Why would anybody want to buy a car that did that?

  23. Re:What about servers run from home ? by jafiwam · · Score: 2

    As has been mentioned before in this thread, use the Let's Encrypt protocol to get a publicly valid cert for free, set up your own internal CA or just use self signed certs... not hard.

    I am beginning to suspect this whole article's purpose for existing is to allow commenters to side-load a bunch of whitewashing about "letsencrypt"

    I am going to respond with a resounding FUCK YOU when you offer to let some third party shit "reconfigure and do it automatically" the security on my web services.