Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises

An anonymous reader quotes a report from Bleeping Computer: The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default, and Mozilla is taking the first steps. The current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages. According to Let's Encrypt, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.

Not everything need story be encrypted

Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature. If it's valid, the file is usable. Encrypting the entire download is a waste of resources for both the server and client. Not everything needs to be encrypted, so this is a little silly. Plus, hosting providers often charge extra fees for https, at least based on my experience.

If the signature itself is tampered with

[tepples]

Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature.

How can you be sure that the SHA-256 value against which you are verifying the disk image hasn't itself been tampered with on its way to your device?

Encrypting the entire download is a waste of resources for both the server and client.

No it isn't. If you fail to encrypt, your ISP, your ISP's ISP, and any snooping government can tell conclusively what you have downloaded. If you do encrypt, the eavesdropper can see only what domain you're accessing and the sizes of what you download. You can obfuscate even the sizes by using range requests to pull the 4 GB disk image a 4 MB chunk at a time.

Plus, hosting providers often charge extra fees for https

Then take your business elsewhere. Switch from a hosting provider that charges extra for HTTPS to a competing hosting provider that does not charge extra for HTTPS.

Re:If the signature itself is tampered with

[RightwingNutjob]

And sometimes you don't care. Like when you're on an internal network and don't want to confuse your users with a red warning signal.

Re:If the signature itself is tampered with

[hairyfeet]

Insightful? Really mods? Lets take a site like Megofan...all it has is scans of old Mego adverts and interviews with the guys that worked there. No sign in, no information from the user at all, just some static images and text....now WHY IN THE FUCK does this need to be encrypted? Anybody? Beuller?

You want to make the web safe? KILL JAVASCRIPT DEAD and while you are at it BAN accepting code from third parties like these sleazy as fuck advert companies...tada! Web is safe as in your mama's arms...oh but that would mean website owners might have to get off their overfed asses, wipe the Cheetos dust off their fingers and actually VET THEIR ADS instead of just bitching and whining when we block them! Can't have that, nope so lets make every site in the free world including those that are nothing but text and jpegs encrypt for...not a damned reason other than SECURITY THEATER.

This is a classic example of the "we have to DO SOMETHING!" bullshit, a variation of the "think of the children!" kind of thinking...does it solve the REAL problem, which is our devices spying on us, malware filled adverts, or any of the real nasty things we've been dealing with? Nope. But hey it lets CA vendors make more money while putting on the appearance of giving a fuck and that is just as good in these days of hastag "our hearts are with" insert name of city...right?

Re:If the signature itself is tampered with

[Askmum]

This is a classic example of the "we have to DO SOMETHING!" bullshit, a variation of the "think of the children!" kind of thinking...

I totally agree. I have a small personal website that hosts some stats about my server (disk usage and such) and hosts pictures I want to share with people.

Why would that site be unsafe? I use no cookies, I do not require logins. Why would my site be branded like that because some has-been company pushes their agenda?

Re:Servers on your LAN are probably Not Secure

[RightwingNutjob]

Great. Another layer of DRM. Printer doesn't work unless you're plugged into the internet and paying for 'up-to-date' certificates from the vendor.

How to use a private CA with BYOD?

[tepples]

How is "make and install your own certificates" practical when users bring their own devices, such as public library patrons bringing their laptops or phones to a branch or friends or relatives bringing their laptops or phones to someone's home?

FFS

[fyngyrz]

Good thing that the cost is essentially zero on modern hardware, then.

You know what cost isn't zero?

Changing the billions of http: links on billions of web pages to billions of other web pages, that's what.

Firefox - and Google, for that matter - are damaging the very integrity of the net, ironically, while claiming to improve it. They're not improving it. This is anal-retentive nonsense. Not everything needs to be encrypted. If something does need to be encrypted, that falls into the realm of the reasonable decision of the page owner, not the web browser author or the search engine.

We've gotten along just fine without this nonsense thus far; I see no reason - other than the use of force by these bad actors - that we should have to arbitrarily change huge portions of the Internet.

You want to encrypt, go ahead. You can if you want. And of course, if you do, it'll be fine. But using force to make you do it... no. That's just evil.

And we know that browser warnings will put people off. This isn't an "otherwise-harmless" act. It'll do real damage.

Domain-validated vs. Extended Validation

[tepples]

It's why a CA can charge hundreds of dollars to perform 50ms of compute effort.

The "50 ms of compute effort" certificates are domain-validated, with just CRL and OCSP as ancillary services. Those typically cost $15 for three years (ssls.com) or nothing for 90 days (letsencrypt.org). The certificates that cost hundreds of dollars are Extended Validation, which ensure not only a connection between the certificate and the domain owner but also that a vandal isn't typosquatting the domain itself. These often come with greater insurance guarantees.

Re:Domain-validated vs. Extended Validation

[TechyImmigrant]

It's why a CA can charge hundreds of dollars to perform 50ms of compute effort.

The "50 ms of compute effort" certificates are domain-validated, with just CRL and OCSP as ancillary services. Those typically cost $15 for three years (ssls.com) or nothing for 90 days (letsencrypt.org). The certificates that cost hundreds of dollars are Extended Validation, which ensure not only a connection between the certificate and the domain owner but also that a vandal isn't typosquatting the domain itself. These often come with greater insurance guarantees.

And all those services and fees have nothing to do with my options for securing my own stuff. In fact they just make things worse.
As I wrote on another thread, I ran Let's Encrypt's scripts and they crashed. It's a joke built with shoddy code.

I built a CA once, with bespoke software, a screened room, air gaps, man traps and the whole malarky. All to certify communication devices, because all the cert vendors were not interested in selling certs for a few cents each for millions of devices.

The more I have dealt with the cert industry, the more I hate it.

Idiotic

[slashmydots]

Oh good, now I can pay like $100 a year for an encryption cert that I don't need just to run my static, read-only website that tells people what my business does and where it is and how to contact me. Awesome.

Re:How to Disable it

[vlueboy]

The rest of us can simply disable "security.insecure_connection_icon.enabled" in about:config.

Oh?
Just like Firefox's extensions fiasco where some similar about:hack "allowed" your unapproved extensions to continue running if it wasn't publicly vetted by the mozilla version of an app store? That respite, like many Firefox moves was killed on v48 a year ago and blew away a Firefox extension that was developed in-house and had no business being available to the world. And just a year earlier? the Chrome and Safari side grenade exploded with a different "security" feature that cost us man hours, training and bug stabilization time. Browserwise, there is nowhere safe of these whims.

When Mozilla is saying the http sites will work "for a while" for local printers / routers, they're taking the haughty tone appropriate for someone saying we'll be allowed to be beggars at their house until they tire of taking pity on us... as if browser makers were paying US for using THEIR products. One reason open source projects aren't taken seriously, mind you, is present in that vacuous statement: unlike closed source companies like MS and Oracle, the statement of EOL comes with no hard dates. That's a red flag right there, considering Firefox has more or less had "courage" in announcing pulling the plug on other features or forcing unwanted garbage as well.

I'm tired after seeing the bleakness of all the bug threads with complaints of business burdens produced by these changes that just keep falling on deaf ears: All browsers do this deprecation game on a whim without any standards emporium behind the stupidity (though sometimes the W3C is part of the problem.) The only winning move is NOT to upgrade, because freedoms imaginaryly lost n% of the time to some unseen enemy in a potential hack are less concrete than the freedom lost right now for 100% of the time in the form of loss of value and features.