Firefox Users Reach HTTPS Encryption Milestone (techcrunch.com)

← Back to Stories (view on slashdot.org)

Firefox Users Reach HTTPS Encryption Milestone (techcrunch.com)

Posted by EditorDavid on Sunday October 16, 2016 @04:34AM from the achievement-unlocked dept.

For the first time ever, secure HTTPS encryption was used for over half the pageloads served to Mozilla users, representing a big milestone for encryption. TechCrunch reports on the telemetry data tweeted by the Head of Let's Encrypt: Mozilla, which is one of the organizations backing Let's Encrypt, was reporting that 40% of page views were encrypted as of December 2015. So it's an impressively speedy rise...

The Let's Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to [co-founder Josh] Aas, Let's Encrypt added more than a million new active certificates in the past week -- which is also a significant step up. In the initiative's first six months (when still in beta) it only issued around 1.7 million certificates in all.
The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).

63 comments

Min score:

Reason:

Sort:

50% of Firefox users by PvtVoid · 2016-10-16 04:40 · Score: 1, Funny

All three of them.
1. Re:50% of Firefox users by Anonymous Coward · 2016-10-16 05:29 · Score: 0
  
  That would mean the number of desktop browser users is 33. I doubt that.
2. Re:50% of Firefox users by Anonymous Coward · 2016-10-16 06:32 · Score: 0
  
  More disturbing though: How the hell did they know what page loads it's users are doing? Is Mozilla spying on users and what they surf???
3. Re:50% of Firefox users by Anonymous Coward · 2016-10-16 06:52 · Score: 0
  
  You're kidding, right? Does anyone here have any idea how the Internet even works anymore? I though Slashdot was supposed to be a tech site for nerds, not for 14 year old drama queens with no knowledge of how anything actually works. You can easily read up on how Firefox collects Telemetry, when it's even enabled, and find out how they use it. It's not hidden information. Use that gray matter in your head.
4. Re: 50% of Firefox users by Anonymous Coward · 2016-10-16 08:07 · Score: 0
  
  "Telemetry" sounds like a weaselly way of saying "spying".
5. Re: 50% of Firefox users by Anonymous Coward · 2016-10-16 09:09 · Score: 0
  
  I can understand that you didn't RTFA ... but to not read TFS !?!?
  
  only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)
  Telemetry is NOT swtiched on by default in Firefox; you have to go looking for that function.
  And the pre-release version that DOES have telemetry switched-on by default is the version used by a subset of tech nerds that go out of their way to download that version of Firefox.
6. Re:50% of Firefox users by allo · 2016-10-16 09:21 · Score: 1
  
  They are spying and it's called telemetry. There are ways to disable it.
  Have a look at ffprofile.com for more firefox tweaks. There is a lot of internal spying, which can be removed on a profile generated with ffprofile.
7. Re: 50% of Firefox users by allo · 2016-10-16 09:23 · Score: 1
  
  that's wrong. A few telemetry features are in each firefox and on the first run you get a passive notification "Firefox collects some data [learn more][disable]".
8. Re: 50% of Firefox users by Etzos · 2016-10-16 09:46 · Score: 1
  
  No. The person you replied to is correct. Telemetry is not on at all by default in release versions of Firefox. However it is on by default on pre-release versions (this is when it will tell you that they are collecting some data). For more info see this article: https://wiki.mozilla.org/Telem...
9. Re: 50% of Firefox users by allo · 2016-10-16 09:57 · Score: 1
  
  I am having 45 ESR from mozilla.org
10. Re:50% of Firefox users by Big+Hairy+Ian · 2016-10-17 00:55 · Score: 1
  
  Surely there must be a better way to download Chrome
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
11. Re:50% of Firefox users by Anonymous Coward · 2016-10-17 05:11 · Score: 0
  
  Make that four!
  It's a choice between Google (Chrome), IE/Edge(Mico$ucks), Safari(Apple), and Mozilla(Firefox). I don't like Google spying on me via search much less my browser. I don't use Mico$ucks anymore so IE/Edge are out. Apple is too dang expensive (although I'd use it if I had cash to spare), so Safari is out for me. That leaves me with Firefox (running on Debian...and yes I'm now testing out Chromium too). I've used Firefox since 2005 (off and on sometimes as I tried other browsers), but it's always been a great browser for me. I've never had any issues, and with just a few adware blocking add-ons it runs superb.
12. Re:50% of Firefox users by Anonymous Coward · 2016-10-17 19:14 · Score: 0
  
  What does that have to do with "how the internet works"? If you pretend to be a greybeard, at least do it right. It's called the www. Sheesh.
certificates by fustakrakich · 2016-10-16 04:43 · Score: 1

Not worth the paper they're printed on. It's just another form of tracking.

--
“He’s not deformed, he’s just drunk!”
1. Re:certificates by Anonymous Coward · 2016-10-16 06:37 · Score: 0
  
  You mean kind of like an IP or a domain name is a way of tracking your webserver?
Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-16 04:55 · Score: 0

Which goes to show you how leaking of telemetry info is one of the biggest problems with certs.
So I have a server on my local network. To enable https, it needs a cert and you click through a form to create a Lets Encrypt cert. BUT if you do that, then you've injected an outside body in the verification! Each time it contacts that to check the cert, its informing the certificate company that you are accessing your own server on your own network!
Firefox should handle self signed certificates better. It treats them as dodgy, but they are not.
A certificate authority injected between you and a known server represents an unwanted man-in-the-middle.
1. Re:Leakage of data is a big problem with certs by Gr8Apes · 2016-10-16 05:32 · Score: 1
  
  Firefox should handle self signed certificates better. It treats them as dodgy, but they are not.
  A certificate authority injected between you and a known server represents an unwanted man-in-the-middle.
  I'll admit that the last time I dealt with this on FF, it was a few revisions ago. Self-signed certs are easy enough to add to the browser, any browser really. Will the average user know how to deal with this and take the appropriate steps? No.
  Adding your own CA may take a little more work, but is what you need to do to avoid MITM attacks.
  
  --
  The cesspool just got a check and balance.
2. Re: Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-16 06:05 · Score: 0
  
  Browsers do not contact a server to check a certificate's validity. This is supposed to be techy site.
3. Re:Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-16 07:08 · Score: 0
  
  You would better understand how they work. No, they are not, and have their appropriate uses. It is more secure to setup a RADIUS server with a self-signed cert for instance. And deploy the CA via AD or via provisioning files.
4. Re:Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-16 07:45 · Score: 1
  
  Self-signed certs are even more useless, and the people who keep insisting that they're not aren't helping.
  You mean like https://www.google.com?
  Whose certificate is issued by " Google Internet Authority G2".
  Self-signed is OK for them, but not for us. Get it?
5. Re: Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-16 08:10 · Score: 0
  
  You need to read up about OSCP!
  https://en.m.wikipedia.org/wiki/Online_Certificate_Status_Protocol
6. Re: Leakage of data is a big problem with certs by allo · 2016-10-16 09:24 · Score: 1
  
  And you should read the section about ocsp stapling.
7. Re:Leakage of data is a big problem with certs by heypete · 2016-10-16 13:28 · Score: 1
  
  Which goes to show you how leaking of telemetry info is one of the biggest problems with certs.
  How so?
  
  So I have a server on my local network. To enable https, it needs a cert and you click through a form to create a Lets Encrypt cert. BUT if you do that, then you've injected an outside body in the verification!
  What do you mean? If you mean the server validates its identity to the certificate authority, then yes, that's true. That's the point.
  
  Each time it contacts that to check the cert, its informing the certificate company that you are accessing your own server on your own network
  Let's Encrypt intends that the certificate issuance process is automated, such as with a cronjob. Thus, if you do things right, the server will periodically re-validate your site with Let's Encrypt and renew certificates automatically. This is intended.
  If you mean that clients will query the CA's OCSP servers to verify the validity of the certificate, yes, this is true and a minor privacy concern. Fortunately, all modern browsers and servers support OCSP stapling. The server can, with a few lines (or enabling an option in Certbot, the major Let's Encrypt client), handle the OCSP checking itself and "staple" a signed OCSP response to the normal secure handshake. The stapled response is valid for a short period of time (a few days) and the server will query the OCSP servers periodically to get a fresh response. This way, clients don't reveal their browsing habits to the CA and the CA requires less resources for their OCSP servers. Win-win for all. If you haven't already, turn on OCSP stapling on your server.
  Of course, if a server doesn't support OCSP stapling, browsers will fall back to querying the CA's OCSP responders.
  
  Firefox should handle self signed certificates better. It treats them as dodgy, but they are not.
  How would the browser know they're not dodgy? They are, by definition, self-issued. Anyone, including a bad guy, can make a self-signed certificate saying they're anyone else. There's no in-band way of authenticating a self-signed certificate.
  Sure, one can manually elect to trust a self-signed certificate if one knows what one's doing, but the typical user is not knowledgeable enough to do that securely.
  
  A certificate authority injected between you and a known server represents an unwanted man-in-the-middle.
  The CA is not a "man in the middle", in that they're not involved in the secure handshake at all. They simply are a third party vouching for the validity of the information contained in the certificate: "We verified that the administrator of www.example.com controls that site and requested a certificate."
  CAs undergo stringent vetting and auditing to ensure they follow specific policies before they're trusted by browsers, as well as annual audits thereafter. Is it perfect? No. Have CAs made errors, been compromised, or acted poorly? Yes, and in many cases those CAs received the "death penalty" of having their trust revoked by browsers. Still, it's the least-bad system available that scales for the internet. If you can think of something better, by all means, implement it.
8. Re: Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-16 20:36 · Score: 0
  
  Then it's no longer self-signed. It's signed by the CA you created and pre-distributed over a secure sideband. Big difference.
9. Re: Leakage of data is a big problem with certs by Anonymous Coward · 2016-10-17 00:04 · Score: 0
  
  Browsers do not contact a server to check a certificate's validity. This is supposed to be techy site.
  Slashdot didn't get the memo. /. is nothing more than a third-rate reddit sub-sub-group now. With the concomitant IQs to match.
10. Re: Leakage of data is a big problem with certs by tepples · 2016-10-17 04:06 · Score: 1
  
  Then the problem becomes setting up the means through which the CA's root certificate is "pre-distributed over a secure sideband", such as a head of household wanting to make a private server available to visiting friends and family or a public library wanting to make a private server available to visiting patrons.
100% of the viewers of my website use HTTPS by QuietLagoon · 2016-10-16 05:33 · Score: 1

If they try to use HTTP, I 301 'em to HTTPS. And not just any HTTPS, but TLS 1.2. They can't squeak by with TLS 1.1 or 1.0, or any SSL version.
1. Re:100% of the viewers of my website use HTTPS by tepples · 2016-10-17 04:17 · Score: 1
  
  Have you run analytics on how many potential customers you are turning away for not supporting TLS 1.2?
accuracy of numbers? by zoward · 2016-10-16 05:50 · Score: 3, Informative

I'd be willing to bet that most security-conscious Firefox users turn off telemetry (as I did), which would skew the numbers. Chances are that they hit this milestone earlier than now.

--
"Can't you see that everyone is buying station wagons?"
1. Re:accuracy of numbers? by Anonymous Coward · 2016-10-16 06:14 · Score: 0
  
  Their shouldn't be any "telemetry" (phone-home shit) in any web browser, period. Telemetry = spyware.
2. Re:accuracy of numbers? by Anonymous Coward · 2016-10-16 07:41 · Score: 0
  
  At least this way browsers can tell whether what they're doing is worth a damn, rather than just shooting blind and having idiots accuse them of "not listening to their users".
  Or maybe they could learn what usability and accessibility mean, rather than just shooting blind, then badly interpreting their spyware data, and in the end still not do anything to correct the problems, because of their arrogance...
3. Re: accuracy of numbers? by Anonymous Coward · 2016-10-16 08:21 · Score: 0
  
  You sure wrote a lot just to confirm that telemetry is a form of spying.
4. Re:accuracy of numbers? by Anonymous Coward · 2016-10-16 09:05 · Score: 0
  
  Assuming that the summary is correct, Telemetry is not turned on by default unless you are using pre-release versions of Firefox. I'd assume that skews it the other direction in that people who use pre-release browser versions are probably more security conscious.
5. Re:accuracy of numbers? by Anonymous Coward · 2016-10-16 09:15 · Score: 0
  
  (a) Telemetry is not enabled by default in stock Firefox
  (b) Your last sentence shows no understanding of statistics (they're not counting totals; they're counting percentages)
6. Re:accuracy of numbers? by allo · 2016-10-16 09:26 · Score: 2
  
  > By that standard, just using the web amounts to using spyware
  It is. Without adblock, self-destructing-cookies and so on, almost every site is spyware. Have a look at the domains, which such tools block on slashdot. And then on a major news site. Its a nightmare, really.
7. Re:accuracy of numbers? by tepples · 2016-10-17 04:18 · Score: 1
  
  How would you recommend that developers "learn what usability and accessibility mean" without observing users?
Hotel Tango Foxtrot do they know this? by rossdee · 2016-10-16 05:53 · Score: 1

Is FF phoning home wto mozilla with this statistic, and if so is there a setting we can turn off to stop it?
1. Re:Hotel Tango Foxtrot do they know this? by Anonymous Coward · 2016-10-16 05:58 · Score: 0
  
  about:preferences#advanced
  under Data Choices.
  pretty sure it defaults to off. I've never switched it on, and it's off for me.
2. Re:Hotel Tango Foxtrot do they know this? by Kjella · 2016-10-16 08:15 · Score: 1
  
  You know, you could read the damn summary, I know TL;DR
  
  not default switched on for most Firefox users (only for users of pre-release Firefox builds)."
  There's probably a setting to disable it in preview builds, but the whole point of using them is for Mozilla to test so... don't volunteer as a tester?
  
  --
  Live today, because you never know what tomorrow brings
3. Re:Hotel Tango Foxtrot do they know this? by Anonymous Coward · 2016-10-16 08:39 · Score: 0
  
  Your reaction is a good one. However, in this case you don't need to worry - Firefox's data-collection is opt-in. The first time you use Firefox a bar appears at the bottom of the browser asking if you'd like to enable data-sharing, and if you don't then it won't send stats to Mozilla. You can also visit about:preferences#advanced and click on the "Data Choices" tab to see what your current data-sharing settings are.
4. Re:Hotel Tango Foxtrot do they know this? by allo · 2016-10-16 09:27 · Score: 1
  
  Its on by default, but you get a notification on the first run that it's enabled with a "disable" button.
5. Re:Hotel Tango Foxtrot do they know this? by Etzos · 2016-10-16 09:43 · Score: 1
  
  This is false. Release versions of Firefox do not enable telemetry. See https://wiki.mozilla.org/Telem... for more info.
6. Re:Hotel Tango Foxtrot do they know this? by allo · 2016-10-16 09:55 · Score: 1
  
  My 45 ESR asks me if i want to disable it on first run. Did not try newer ones, yet.
Re:I like the idea of encryption by guruevi · 2016-10-16 06:30 · Score: 2

That's why let's encrypt is free.

--
Custom electronics and digital signage for your business: www.evcircuits.com
Law of large numbers by Anonymous Coward · 2016-10-16 06:41 · Score: 0

With such a small sample size, Mozilla users, you can't really claim anything.
Would be even more if... by Anonymous Coward · 2016-10-16 07:41 · Score: 0

... Letsencrypt provided certificates that lasted longer than 90 days. Ridiculous. Make it one year at least. Please.
1. Re:Would be even more if... by heypete · 2016-10-16 13:15 · Score: 1
  
  ... Letsencrypt provided certificates that lasted longer than 90 days. Ridiculous. Make it one year at least. Please.
  The process is intended to be automated, such as with a cronjob, and the short lifetime is intended to resolve issues relating to the general suckitude of revocation.
Let's Encrypt has done a good job by Mortimer82 · 2016-10-16 08:05 · Score: 1

Along with CPanel, I enabled HTTPS on my little website in seconds, it was truly painless. While my website stores nothing of significant value (Minecraft schematic files), it does have a login form and I sleep better knowing login credentials cannot be intercepted anymore.
1. Re:Let's Encrypt has done a good job by Anonymous Coward · 2016-10-16 09:26 · Score: 0
  
  Agree, 100%. And although the statistical accuracy of the numbers in the OP are garbage, let's just look at the big picture. We are making progress on encryption. The days of the easiest pickings for the Three Letter Agencies are coming to an end.
  Hey, I'm not some Pollyanna. Realistically, global security on the scale of the internet will always contain loads of weak points. It may never actually merit the description of being "secure" to some independent, measureable standard.
  But this is progress just the same. And your Minecraft website? When 99.999% of all encrypted web traffic is exactly like this (not criminal, not terrorist, pedestrian and of little or no interest to the TLAs), then the TLAs will be entirely unable to target web traffic just because it is encrypted and therefore "suspicious". That's a good thing. The days of being flagged as suspicious just for being competent, secure, and unwilling to be casually spied upon will be over.
Re: I like the idea of encryption by Anonymous Coward · 2016-10-16 08:14 · Score: 1

It's only "free" if you don't value your time (the certs expire every few months), or if you don't need an EV cert, or if you don't need a wildcard cert. It's a fun toy for your blog that nobody reads, but that's about it.
Re: I like the idea of encryption by Anonymous Coward · 2016-10-16 08:35 · Score: 0

I'm at a cheap web host (buyshared.net, $5/year) that includes letsencrypt certs at no charge, and automatically handles the installation and renewal through some cpanel plugin. Every 3 months I get a robo email from the host saying they renewed my certificate again. Maybe I can turn off that email but it makes me feel kind of good.
Re: I like the idea of encryption by heypete · 2016-10-16 13:13 · Score: 1, Informative

It's only "free" if you don't value your time (the certs expire every few months), or if you don't need an EV cert, or if you don't need a wildcard cert.
Let's Encrypt intends that the installation and maintenance (e.g. renewal) is automated. A simple daily cronjob checks if any Let's Encrypt certs on that system are in need of renewal and, if so, handles the validation, issuance, and installation of those certs completely automatically. If anything, it dramatically *saves* admin time.
The vast majority of sites don't need EV or wildcard certs, so Let's Encrypt is perfect for them.
Re: I like the idea of encryption by corychristison · 2016-10-16 14:04 · Score: 1

This.
One of the arms of my business is web hosting (among web application development, and other online services). LetsEncrypt is fantastic. Automated SSL/TLS certificates makes life easier, and my small business clients really appreciate the free certificates. I really appreciate not having to deal with renewing them every year or two because its kind of a PITA.
For my own business sites I do use EV certs and its definitely a hassle to renew them.
Translation by Nunya666 · 2016-10-16 15:00 · Score: 1

The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).
Translation: statistics are manipulated.

That's why I never believe any statistic, regardless of the source.
Stapling ineffective for server and client on 1 IP by tepples · 2016-10-17 04:04 · Score: 1

OCSP stapling means the server contacts the CA on the client's behalf and returns a cached OCSP response signed by the CA to the client. Thus the CA sees one OCSP request from the server per day as the server notices that the cached response is about to expire, as opposed to a request from each client. But in the case that Anonymous Coward #53085831 described, both the server and the client are on a LAN behind a NAT. When both the client and server have the same IPv4 address, stapling isn't quite as effective at hiding clients.
Any company can be a CA by tepples · 2016-10-17 04:12 · Score: 1

Self-signed is OK for [Google], but not for us. Get it?
Any company can join the major web browsers' root certificate programs so long as it can afford the cost of operating a CA and hiring a third-party auditor to verify that its issuance policy is being followed. Google is such a company.
You need a domain, which not everyone has by tepples · 2016-10-17 04:19 · Score: 1

Let's Encrypt is rate-limited in such a way that it's only "free" if you own a valid domain. Someone setting up a web server on a private network, such as inside a home, library, or museum, might not own a domain for that purpose.
Provided the web host supports cert automation by tepples · 2016-10-17 04:26 · Score: 1

Automated renewal is the intent. In practice, it took several months after Let's Encrypt entered public beta for some web hosting providers to let users even upload their own certificates without having to file a support ticket. (See, for example, a blog post from a month ago.) It got so bad that one passive-aggressive fellow wrote a tool to request a certificate from Let's Encrypt and automatically file a support ticket.
Re: I like the idea of encryption by guruevi · 2016-10-17 10:20 · Score: 1

That's why LE is cheaper, you are forced to automate it causing you to spend way less time on certs. It's just part of setting up a web server and not all that complicated. Additionally both free and paid web panels now include (which you would be using if you don't know how to install a cert in less than 5m) a module that does it for you.

--
Custom electronics and digital signage for your business: www.evcircuits.com
Re:Stapling ineffective for server and client on 1 by allo · 2016-10-18 08:55 · Score: 1

It's still only informing them, that the certificate is still in use. And if its your lan and you're really want to avoid it, switch OCSP off in the browsers in your lan. You can do it there, not like an internet site, which cannot avoid the default config of its visitors.