Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises

An anonymous reader quotes a report from Bleeping Computer: The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default, and Mozilla is taking the first steps. The current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages. According to Let's Encrypt, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.

Re:The bigger problem

[tepples]

The percentage covers only the subset of users who have opted into Firefox telemetry. If you want to make your votes not count, that choice is yours. Just don't whine when Mozilla cuts your pet feature for lack of usage share justifying the maintenance cost.

Re:why does my site need to be secure

[Sloppy]

I am generally curious why someone would need EVERY site to be secured by https.

I can't answer that question, but this..

What about small businesses who dont offer any downloads or have any contact forms and as such their websites function like a digital flier.

.. is easy. You don't want ISPs altering the flier. And people may recall, one of the big calls to arms for the whole Network Neutrality thing everyone has been talking about, is that ISPs were altering web replies to insert ads. I've heard Comcast users even say that Comcast still communicates some kinds of things to their customers by just barging into whatever web page a user happens to have loaded, and changing it to include a message from Comcast. (Because apparently email is too hard.)

MitM can't only snoop; they can also change things.

Examples involving intranets, though, I can't possibly get into Firefox's head. I am pretty sure whatever reason they come up with, will be bullshit. But I guess I ought to hear 'em, first...

Re:If the signature itself is tampered with

[truedfx]

But the operator of the site hosting the SHA-256 values will still need to obtain a certificate.

Indeed.

Is it more a matter of setting up Certbot to provision one certificate for the hash site rather than a separate certificate for each mirror site?

The concern was that for large (multi-gigabyte) files, HTTPS becomes a waste of resources. I'm not going to comment one way or another on the correctness of that claim, but setting up a single server to accept both HTTP and HTTPS connections is trivial, and then the client can make the choice to download the large file from that server over HTTP, and the hash from that same server over HTTPS. It wasn't my idea to have the full file and the hash come from different servers, although that is indeed an option as well.

And yet firefox hides http:// by default..

The geniuses at Mozilla decided to hide the http: prefix from the user some time ago, so instead of http://www.cnn.com/ the user sees www.cnn.com

The http: prefix indicates that THERE IS NO ENCRYPTION.

Why hide it from the user and then add a non-standard indicator that there is no encryption?

So many UI designers should be shot...

Re:If the signature itself is tampered with

[AmiMoJo]

Makes it harder to inject malware, a favourite tactic of governments.

Also increases the cost of mass surveillance to the point where it is impractical.

The web should have been fully encrypted from the start.