Slashdot Mirror
Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com)
An anonymous reader quotes a report from Bleeping Computer: The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default, and Mozilla is taking the first steps. The current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages. According to Let's Encrypt, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.
This is completely retarded. Not every site needs https.
HTTPS requires a certificate, and a certificate that requires a fully qualified domain name. The CA/Browser Forum's Baseline Requirements forbid issuing certificates in RFC 1918 private networks (such as 10/8 and 192.168/16) or the mDNS reserved domain (.local). This means everything on the average user's local area network will end up marked "Not Secure", such as the administration interface of the user's router, printer, or network attached storage (NAS) device.
The document "Deprecating Non-Secure HTTP" states that Mozilla is aware of this problem but fails to offer a solution:
The only "certification company" to which you'd need to "pony up cash" is the domain registrar, which you need anyway for a public website. Once you have a domain, you can automate provisioning of certificates issued without charge by Let's Encrypt using an ACME client such as Certbot.
Changing the billions of http: links on billions of web pages to billions of other web pages, that's what.
If your HTTPS server sends the Strict-Transport-Security header for one request, the browser will automatically rewrite subsequent requests to http: scheme URLs on the same domain to use the https: scheme instead. If you enable this long-term for all subdomains, you can get the header "preloaded", or included with the browser itself so that even the first request gets rewritten. The HTTPS Everywhere extension by EFF is an additional source of preloads.
Calm down Sally. They aren't stopping anyone from using HTTP, they are merely making sure uses are aware that their connection is not secured. They aren't breaking anything. The fact is that the S in HTTPS is the secure part, and without that S your connection is not secure. If communicating facts to the user is breaking things then lets hope more people start breaking things.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Because it's open to MITM and passive snooping. There have been cases of networks inserting DDoS code into unencrypted webpages to recruit clients into attacking an unrelated site. (Or if you prefer, cases of networks inserting cryptocoin miners.) It's also possible to exploit security vulnerabilities in the client by injecting code into a plain-text connection, thus hiding the source of the exploit (and saving you the effort of tricking the client into visiting your own site).
Plain-text HTTP is just plain unsafe. That's why it should be branded as unsafe.