Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Begins To Move Towards HTTPS-Only Web

Posted by Soulskill on from the driving-web-privacy dept.

jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.

4 of 324 comments (clear)

  1. Excellent. by Anonymous Coward · · Score: 5, Insightful

    More wildcard certs for me to buy.

  2. Re:Wait a minute... by LordLimecat · · Score: 5, Informative

    Not sure if you've been watching the news, but China has been using Baidu effectively as a botnet because they are able to intercept and modify javascript sent via HTTP.

    Stops a lot of threats, even if you're just a hobbyist; it ensures that an attacker cant just intercept your hobby page and drop a bunch of exploit kits on it.

  3. Self-signed by Dwedit · · Score: 5, Insightful

    Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.

    Instead, throw out the dire warnings when the self-signed certificates aren't correct, such as when it changes.

  4. Can we please fix certificates and CAs first? by bradley13 · · Score: 5, Insightful

    HTTPS is all well and good, but the certificate situation is just a mess. Currently, essentially any CA can issue a certificate for any website anywhere. That means that every time you surf, you are placing your trust in literally hundreds of CAs.

    Meanwhile, self-signed certificates bring up horrendous warnings, or are simply refused. The chance of verifying a self-signed certificate (for example, getting the fingerprint via another channel) are a lot better than the chance of verifying that some random CA hasn't been bribed or pressured.

    Can we please fix this mess, along the way to making HTTPS standard?

    --
    Enjoy life! This is not a dress rehearsal.