Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Begins To Move Towards HTTPS-Only Web

Posted by Soulskill on from the driving-web-privacy dept.

jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.

16 of 324 comments (clear)

  1. Excellent. by Anonymous Coward · · Score: 5, Insightful

    More wildcard certs for me to buy.

    1. Re:Excellent. by kthreadd · · Score: 4, Informative

      More wildcard certs for me to buy.

      If Let's Encrypt takes off, and it's fairly likely to do so given the sponsors they have (including Mozilla), you won't have to buy any certs at all. They will just be there automatically.

    2. Re: Excellent. by RLaager · · Score: 4, Informative

      A CA never has your private key. You generate it locally and it is never sent to them.

  2. Wait a minute... by jez9999 · · Score: 4, Insightful

    If my website just serves up public data that I don't care about the government seeing, you're going to disable new features on it anyway? Seems a bit extreme.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:Wait a minute... by LordLimecat · · Score: 5, Informative

      Not sure if you've been watching the news, but China has been using Baidu effectively as a botnet because they are able to intercept and modify javascript sent via HTTP.

      Stops a lot of threats, even if you're just a hobbyist; it ensures that an attacker cant just intercept your hobby page and drop a bunch of exploit kits on it.

    2. Re:Wait a minute... by Todd+Knarr · · Score: 4, Interesting

      The problem is that requiring HTTPS doesn't make sites more secure. It prevents an attacker who can't obtain a legitimate SSL certificate for the domain from running a mid-transit MITM attack, nothing more. The biggest problems seem to be a) phishing attacks that convince the user to visit a rogue site eliminating the need for MITM, b) local system compromises (client- or server-side) that have access to the cleartext traffic and don't need an MITM, and c) rogue CAs who issue certificates for domains the recipient isn't authorized for which allows for mid-transit MITM with HTTPS. The first two can't be mitigated by anything other than smarter users (HAH!), and mitigating the third requires massive changes to certificates so it's possible to determine whether a certificate belongs to a given site without depending on anything in the certificate and without depending on the CA having validated the recipient.

  3. So.... by Continental+Drift · · Score: 4, Funny

    No more http://slashdot.org?

  4. Re:What about servers run from home ? by jmv · · Score: 4, Informative

    I suspect that Let's encrypt is related to that issue.

    --
    Opus: the Swiss army knife of audio codec
  5. this. exactly this. by nimbius · · Score: 4, Insightful

    Two years after snowdens revelations we're seeing a reality come to pass. After the NSA swept its most damning indictments under the rug, after congress gave a sigh and a shrug and stifled a syrupy belch from the afternoons filet mignon lunch, we still see this change. After the TV spotlights were turned back to fashion trends, civil unrest, diet pills and other nonesuch this persisted despite the best effort. and its extremely unfortunate

    Instead of watching discourse spread and meaningful legislation come to pass we're watching a largely uninformed electorate occasionally mistake snowden for assange on national television, and the elected officials with whom our protection they are charged bungle through bills that dont really do much of anything. We're seeing the alternative that no nation wants, and that alternative is a two-tier us-versus-them system in which groups of dedicated hackers fight back. It sets the stage for good-versus-bad and the determinant for this assertion to eventually become the existence of crypto or passwords and ones general willingness to divulge them in the face of overwhelming yet unconstitutional authoritarian presence.

    expect 3 letter government organizations to get frustrated, and angry, very quickly. Aaron Schwartz was a prime example of how, in the future, citizens who act to protect themselves with crypto and security will face the bureaucratic version of biblical retribution in the form of endless charges, indefinite espionage, and a litany of convictable offenses that would result in a lifetime of imprisonment for anyone who dares not to divulge their password.

    --
    Good people go to bed earlier.
  6. SAVE US AND THE WEB FROM MOZILLA! by Anonymous Coward · · Score: 4, Insightful

    Mozilla used to be the Savior of the Web. But after these last few years, I fear they've lost that role.

    The UI changes to Firefox were totally unwanted, and have pretty much killed it as a product. Its share of the market keeps dropping and dropping. When we look at global web browser usage stats like these, we see that Firefox is now maybe 10% of the market, if even that. Chrome for Android alone, Chrome 41 alone and Chrome 40 alone each have about the same or more users than all versions of Firefox. Heck, even IE 11 alone and Safari have about the same number of users these days.

    Mozilla has also engaged in numerous other half-arsed efforts, like Firefox OS and Persona, that nobody wants. Every review I've seen of Firefox OS has been negative. Nobody likes it, and nobody wants it, even the third-worlders they've had to resort to targeting it to. With Android, iOS, and so many other alternatives that are so much better, why the heck would anyone sensible use Firefox OS? The only reason to use it is to try to conform with some weird fringe ideology that worships HTML5/JS/CSS above all else, even above usable, working applications.

    Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages. It would be considered unacceptable if a homosexual was forced out of a job for supporting same-sex marriage, and it should be considered just as unacceptable if a heterosexual was forced out of a job for not supporting same-sex marriage. This is no place for hypocrisy or double standards.

    Now there's this shit that will cause headaches and problems for so many Web users.

    We need a new organization to save us, and the Web, from Mozilla. We need an organization that will put out a usable browser. We need an organization that focuses on doing what's right, and what the Web community wants, rather than what it wants. We need an organization that will listen and respect its users, rather than trampling on them and ignoring their pleas. We need a new Savior, and we need it now.

    1. Re:SAVE US AND THE WEB FROM MOZILLA! by Lennie · · Score: 4, Insightful

      When he did what he did he wasn't the CEO, it was years before that and the law said he had to mention his employers name when he donates.

      If it wasn't the law I pretty sure he wouldn't have even mentioned Mozilla it would just be him donating money.

      --
      New things are always on the horizon
  7. Self-signed by Dwedit · · Score: 5, Insightful

    Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.

    Instead, throw out the dire warnings when the self-signed certificates aren't correct, such as when it changes.

  8. Can we please fix certificates and CAs first? by bradley13 · · Score: 5, Insightful

    HTTPS is all well and good, but the certificate situation is just a mess. Currently, essentially any CA can issue a certificate for any website anywhere. That means that every time you surf, you are placing your trust in literally hundreds of CAs.

    Meanwhile, self-signed certificates bring up horrendous warnings, or are simply refused. The chance of verifying a self-signed certificate (for example, getting the fingerprint via another channel) are a lot better than the chance of verifying that some random CA hasn't been bribed or pressured.

    Can we please fix this mess, along the way to making HTTPS standard?

    --
    Enjoy life! This is not a dress rehearsal.
  9. no DNSSEC+DANE certficate validation by ftobin · · Score: 4, Informative

    It would be nice if they focused on fixing the certificate authority structure by supporting DANE, using DNS records to indicate certificates. Even though there is plenty of interest at https://bugzilla.mozilla.org/s... , Mozilla doesn't seem interested in solving this problem:
    https://bugzilla.mozilla.org/s...

  10. Re:Also, stop supporting sites with poor encryptio by david672orford · · Score: 4, Insightful

    My bank still insists on using RC4 ciphers and TLS 1.

    If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.

    As others have pointed out, they might claim that the latest Firefox was defective and encourage users to stay at an old version or switch browsers "until it is fixed". Once such decisions are written into policy, front line workers unwittingly protect the decision makers from having to find out that they were wrong. They will simple 'teach' the users one-by-one to 'fix the problem' by installing a different browser.

    It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous. It could start with a subtle change in the lock icon, then a mild click through warning, then a warning with a scary graphic and phrases such as "proceed at your own risk".

    The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it. This makes it instantly a "a well-known security flaw in our website" rather than a "known problem with a version of Firefox used by two customers".

    At that point they can either fix their website or block Firefox. But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.

  11. Re:Sooo... by PvtVoid · · Score: 4, Insightful

    Car analogy time: Mozilla wants everyone to use paved roads so car drivers can see hazards more effectively.

    Continued car analogy: Mozilla, to this end, builds a car that shuts down when you try to drive it on a dirt road. Why would anybody want to buy a car that did that?