Mozilla Restricts All New Firefox Features To HTTPS Only

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.

In a groundbreaking statement now

[RedK]

Users say "Firewhatnow" ? Too bad, it was a great browser when it was introduced as Pheonix. Leave it to Mozilla to continue the Netscape tradition of going downhill.

Re:In a groundbreaking statement now

[Rick+Schumann]

As opposed to what, exactly? Chrome, which almost certainly has as much Google spyware baked into it as a Huiwei-made smartphone? Miscreant-o-soft 'Edge', and it's associated 'telemetry' (read as: spyware)? Any of the fringe browsers, which are likely to be garbage and full of malware, too? Firefox is just as likely to be the cleanest in that regard.

Re: In a groundbreaking statement now

Leave it to the malcontent babies on slashdot to whine about a good change.

Re:In a groundbreaking statement now

[theendlessnow]

So, what browser do you use? Can't be Chrome since it is less secure than Firefox, even pre-Quantum. So, what do you use? Can't be Safari? It's based on very broken Webkit. What do you use? We need to know so we can all switch to it.

Re:In a groundbreaking statement now

[Eravnrekaree]

I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy. Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS. The only issues was Lan IP addresses and maybe an exception should be made for private IP addresses. For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually requiring SSL of all web sites

Re:In a groundbreaking statement now

[bn-7bc]

What about apache, nginx, postrgresql, vlc, do I need to go on?

Re:In a groundbreaking statement now

[RedK]

Not all content requires people's information to be transmitted over the wire.

Re:In a groundbreaking statement now

[sremick]

So what do you use? Chrome, which is turning into the IE6 of the web now pushing all this proprietary Chrome-only markup, and arrogantly spawns a dozen or more background task on your computer bringing it to its knees?

I'm seeing lots of Chrome die-hards give it the boot and go to Firefox as a result. And the new Firefox 57 is faster than Chrome, so there's an added bonus.

Firefox has its faults, but if you're insulting it and using Chrome instead then you're just being a huge hypocrite. Chrome gets more press and is pushed on people via sneaky trojan bundling deals that got Microsoft in trouble when they pulled that same shit, but that doesn't make it the better browser.

Re:In a groundbreaking statement now

[gnick]

As opposed to what, exactly? ...Any of the fringe browsers, which are likely to be garbage and full of malware, too?

Does Opera count as fringe? I'm in Chrome right now (at work), but Opera's my main browser at home. It'll run indefinitely on my Win10 box without leaking or crashing while browsing CNN, Facebook, Youtube, Xvideos, Slashdot, Pandora, Netflix, Plex, etc. I'd be very surprised to learn there was malware incorporated.

Re:In a groundbreaking statement now

[gnick]

We need to know so we can all switch to it.

Lynx's security is second to none.

Re:In a groundbreaking statement now

[tepples]

The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.

In addition, even when "people's information" is not "transmitted over the wire", the viewer's ISP can still inject advertisement scripts into a cleartext HTTP connection.

Re:In a groundbreaking statement now

[Rick+Schumann]

Chrome 58.90%
Firefox 13.29%
Internet Explorer 13.00%
Edge 3.78%
Safari 3.42%
Sogou Explorer 1.68%
Opera 1.57%
QQ 1.35%
UC Browser 0.73%
Yandex 0.63%
Looks pretty fringy to me.

Re:In a groundbreaking statement now

[LiENUS]

Two things, A) he's obviously a troll B) out of all 4 of those only vlc is desktop software

Re:In a groundbreaking statement now

[gnick]

Yeah, anything beyond the top 5 I'm happy to call "fringe". So, according to you, that makes it "likely to be garbage and full of malware". I believe Opera's neither garbage nor full of malware.

Re:In a groundbreaking statement now

[tepples]

Safari 3.42%

I thought all browsing on iPod touch, iPhone, and iPad was done through Safari (or through a third-party web browser that wraps Safari's engine). Are these only desktop numbers?

Re:In a groundbreaking statement now

[viperidaenz]

Those dozens of background tasks are your tabs or plugins you've installed.
Of the 6 processes my instance of Chrome is currently running (with one tab open) they are:
Browser: 115MB
GPU Process: 61MB
V8: 11MB
Slashdot tab: 111MB
Adblock Plus: 162MB
uBlock: 63MB

Each additional tab is one more process. If you install dozens of plugins, you'll get dozens of processes and gigabytes of RAM usage.
Tip: Press shift-esc to open Chrome's task manager and see for yourself.

Re: In a groundbreaking statement now

Isn't Opera owned by a Chinese consortium nowadays?

Re:In a groundbreaking statement now

You do realize that Opera is now owned by a Chinese organization right? You'd be surprised by Malware? Uh...I think you better realize that EVERYTHING you do is getting raked over by the Chinese Government's servers...But then again, Google is mining Chrome and Android, Microsoft is mining desktop OS, phone and it's web browsers (Edge & IE) and of course the NSA is mining everything and everyone...

https://www.engadget.com/2016/07/18/opera-browser-sold-to-a-chinese-consortium-for-600-million/

Re:In a groundbreaking statement now

VLC sucks compared to PotPlayer. Anyone who thinks the two are even on the same field is a complete moron.

And if I am a "troll" it is only because questioning the open sores religion on slashdot is politically incorrect.

Go ahead and name some more "good" open sores desktop software. I'll wait. (crickets)

Re:In a groundbreaking statement now

[RedK]

The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.

What you say is the same thing I said. Not every site is about having personal information transmitted or is personal in nature on the queries it responds to. Maybe I just run a site for my bathroom design business with my phone number on it. People visiting my site tell a 3rd party the same thing by simply typing the URL that they would from their full "page loads" since the only information to infer is that you're looking for a bathroom designer.

Re: In a groundbreaking statement now

[gnick]

Yes. It was originally Norwegian, but was sold to "Golden Brick Capital Private Equity Fund I Limited Partnership" for $600M at the end of 2016.

Re:In a groundbreaking statement now

[HermMunster]

People will switch when they begin to have problems, tech literate excluded. People don't want nor will they know about features like this, they want just to use their browser without difficulty and without consideration of restrictive features.

Re:In a groundbreaking statement now

[bn-7bc]

Troll here (I was not intending to be one), sorry i messed the mark, got too focused on the atack on open source and forgot the context. It would be easy to blame my ADD , but I shuld realy bey a bit more attention to stuff like context. I must admit that destop applicstions defenetly are not the best part of the open source portfolio, I’m not shore why, maybe because UI/UxX is har to get right and allso a very specialiced field.

Re:In a groundbreaking statement now

[gnick]

I think you better realize that EVERYTHING you do is getting raked over by the Chinese Government's servers

That's a possibility. It's been investigated repeatedly and nothing's been found, but that's not 100% confidence and I trust the Chinese even less than MS and Google. Of the sites I mentioned, only Pandora has any financial information from me and it wasn't transmitted through Opera. Opera's my main browser at home, but not my only one. If the Chinese want to know which news articles I read, it bothers me the same amount as if my ISP does. Chrome's probably mined deeper than Opera simply because I'll bet Google's better at it than the Chinese government.

Re:In a groundbreaking statement now

[bn-7bc]

Well that might be, it is imposible for me to comment on Potplayer as I’ve nevere used it, but O cab say that vlc (plus the odd codec pack) as played everything I’ve thtown at it without issue. Is it prety no but ,at list in my view, that is secondery to it working. I’m not defending vlc nothing is perfect and improvments can allways be done, but someone much wicer then me onece said ‘The perfect is the enemy of the possible’

Re:In a groundbreaking statement now

[tepples]

Not every site is about having personal information transmitted or is personal in nature on the queries it responds to.

Nor does every server operator always agree with its viewership on whether the site "is personal in nature on the queries it responds to." For example, some people find Wikipedia not "personal in nature" because they don't regularly read articles about (say) reproductive rights in a socially conservative jurisdiction.

Maybe I just run a site for my bathroom design business with my phone number on it.

How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?

Re:In a groundbreaking statement now

> Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS.

Yes there is. Aside from the hassle of configuring it, maintaining it, and troubleshooting it when it breaks, even "free" things like Let's Encrypt are not free. They will not give me a cert. What they will do is let me run their software which will magically do the cert shit for me. It's the god damned fucking SystemD black box horseshit I object to.

My server serves up static pages. That's it. It doesn't do uploads, logins, or any of that shit. It's old web 1.0 stuff. Fuck you and your EVERYTHING MUST BE ENCRYPTED bullshit. I see no reason to pay extra for server time to SSL my notes on what needs to change to fix parts of table top RPGS.

Re:In a groundbreaking statement now

[packrat0x]

We need to know so we can all switch to it.

Lynx's security is second to none.

Don't forget w3m and links.

Re:In a groundbreaking statement now

[jmccue]

Yes there is. Aside from the hassle of configuring it, maintaining it, and troubleshooting it when it breaks, even "free" things like Let's Encrypt are not free. They will not give me a cert.

I wish I had mod points, another nail in the 'fully free' or user based internet. If the page is static and no javascript crap then you should not have to get a cert.

Yes I know your ISP could inject crap before serving it to someone, but you remind the ISP that is illegal.

There is always lynx and USENET :) We should all move back to that.

Re: In a groundbreaking statement now

They not chrome can do https right. If privately signed certain. My firewall was been https since 1997. Both show this not a safe site because of private certs.

They are idiots to say the basic local server on local sub-net is good. Or least not bad that keeps taking multiple of clicks to get through.

I think they are both get kick backs from the cert guys.

Re:In a groundbreaking statement now

[tepples]

Yes I know your ISP could inject crap before serving it to someone, but you remind the ISP that is illegal.

ISP's reply: "So what? We'll continue the illegal practice."

So who has standing to sue an ISP that deliberately flouts this law? The subscriber or the operator of the site that was modified?

Answer: Nobody does. It was a trick question. Mandatory arbitration clauses are a standard practice nowadays.

Re:In a groundbreaking statement now

[WaffleMonster]

The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.

Incorrect. On a public website you can infer what the user is looking at via analysis of timing and payload size.

Re:In a groundbreaking statement now

[WaffleMonster]

I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy.

The privacy case for publicly accessible websites is tedious at best and harmful at worst. It is tedious at best because use of timing and payload length side channels have been successfully demonstrated to unmask user activities on public sites.

It is harmful to privacy because all those OSCP queries to centrally managed servers represent a new vector to track users en-masse without requiring any in-path compromise of communications channels.

TLS session caching may leak data that can be used to correlate requests within a privacy preserving overlay network.

Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS.

There exist management costs and additional RTT costs both in initial TLS setup and an additional round trip with every subsequent request. This can be mitigated in the future by using session tickets.

For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually requiring SSL of all web sites

No doubt TLS is better than nothing yet ends don't justify means. Just because you want everyone to use TLS does not make it acceptable to force others to use it if they don't want to for whatever reason.

In a world where everything is secured via TLS there is no real security. The value of compromising CAs approach infinity at the same time CAs are squeezed by the everything must be free machine (LE freeloaders). Not that CAs have any business existing in the first place. DV should be a function of the registrar who should be handling signing as a standard included feature of domain ownership for no additional cost with none of this any CA has capability to sign globally for any domain they want bullshit.

Every government in the world worth fearing is assured to have the means of compromising the system as currently deployed. As we have seen with Google's unnecessary unilateral removal of the ONLY means of detection of government compromise (key pinning) in order to support a half-baked "experimental" IETF draft that does nothing to actually prevent compromise in it's tracks it seems to me the current system worthless to anyone with a need for security beyond low value ecommerce transactions and that design is intentional. Any new features such as rolling out support for PAKEs that stand to improve security by providing off-ramps to trust not based on global PKI house-of-cards is systematically ignored by all browser vendors.

Re:In a groundbreaking statement now

[WaffleMonster]

How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?

This is a good illustration of the difference between possibility and probability.

Yes it is possible for someone to change the phone number in transit over the network. What is the probability of occurrence? Is it worth my time to care? I suspect the answer to the above questions are "very small" and "hell no".

After all similar risks remain regardless:

How do viewers of your site know your competitor didn't pay the ISP to redirect your site to /dev/null?

How do you know your competitor didn't pay off your web host to hang an "out of business" banner only visible to potential customers on the other side of town?

Re:In a groundbreaking statement now

[tepples]

How do viewers of your site know your competitor didn't pay the ISP to redirect your site to /dev/null?

They put the URL into a troubleshooting tool such as isup.me.

How do you know your competitor didn't pay off your web host to hang an "out of business" banner only visible to potential customers on the other side of town?

You know because your automatic site monitoring scripts notified you of failure to retrieve the root document.

Re:In a groundbreaking statement now

[tepples]

On a public website you can infer what the user is looking at via analysis of timing and payload size.

How reliable is this in practice over the Internet, as opposed to a laboratory setting? And would random addition of 0 to 999 bytes of garbage headers to each response mitigate this in any way?

Re:In a groundbreaking statement now

so your calling other browsers like Chrome arrogant while firefox does even more arrogant shit? Firefox ignores it dwindling user base and is gradually accelerating its descent into the history books.. Chrome is also shit but if all you want to do is compare whose shit is worse then that says a lot about how bad it is with Firefox at the moment.

Re:In a groundbreaking statement now

The same Opera that was sold to some Chinese mega-corp in 2016? That Opera? Not only is it fringe but now you're a red-loving Commie sympathizer.

Re:In a groundbreaking statement now

[LiENUS]

I wasn't calling you a troll, i was saying the guy you were replying to was a troll.

Re:In a groundbreaking statement now

[TemporalBeing]

Internet Explorer 13.00% Edge 3.78%

Wow...didn't know IE still had so much share and Edge hadn't taken it over yet.

Correction.

[msauve]

"Anne van Kesteren, a Mozilla nanny"

FTFY.

Good

Everything should be encrypted at all times. I know the usual idiots will come out here and say âoeoh now you will be trackedâ, but lol if you think you werenâ(TM)t anyways and double lol if you think server side TLS makes it in any way worse as opposed to increasing your ability to mask all activities on the net

Re:Good

STOP POSTING WITH YOUR IPHONE

Re: Good

Iâ(TM)ll do what I want, itâ(TM)s all https anyway so âoeif youâ(TM)re not able to say nice things, donâ(TM)t say anything at allâ

Iâ(TM)m âoephone postingâ âoeforâ âoetheâ âoewinâ and youâ(TM)re âoetrollingâ

Re: Good

Fuck off you cunt...

Re: Good

[Megol]

You responding to the wrong AC. Easy mistake to make.

Re: Good

Lameness filter encountered..

STOP POSTING WITH YOUR DADS PENIS!

8====)~~~

Re:Good

[bn-7bc]

You know whst, I nly see this problem on slashdot so either
1:The only posts from people using Iphone (any ios device realy) I see is on slashdot
2: there is somthing wrong somewhere in slashdot

Re: Good

i like to think of it as there is just one AC but with multiple personalities.

Re:Good

It's due to apple's instance of posting characters like ' as unicode even if the site is not using unicode. There is no reason to use a unicode ' and keep the rest of the characters ASCII. Apple is broken not slashdot.

Slashdot doesn't fix it because it's a great way to spot the iSheep. The should go ever farther and automatically deduct one karma point if any unicode is detected.

Re:Good

Not supporting Apple's idiosyncratic non-ASCII implementation of quotation marks isn't "somthing wrong".

Re:Good

[scdeimos]

These Unicode characters are just fine on Slashdot:

• U+0022 quotation mark, "
• U+0027 apostrophe, '
• U+0060 grave accent, `

It's anything above U+007F that get molested by Slashdot, such as:

• U+00B4 acute accent,
• U+2018 left single quotation mark, ‘
• U+2019 right single quotation mark, ’
• U+201C left double quotation mark, “
• U+201D right double quotation mark, ”

I'm not posting from an iPhone. You can input these characters from any modern PC. It's just Slashdot decided to support only ASCII character input (U+0000 through U+007F) but screwed up and are actually supporting some crumby OEM code page instead (U+0000 through U+00FF).

Re:Good

[bn-7bc]

Ok so let’s blame apple, but hold on a second, did I not point out that I have nor seen this problem anywhere else? Oh well must just me me then I goes non of the people commenting on digi.no , itavisen.no or in the subreddits I follow ever post from an ios device (the to first are among norways largest it related news sites, and juging by the number of comments on apple related articles quite a few of the readers use ios devices.

Re:Good

[tepples]

Quotation mark code points that have been in Unicode for decades (since 1993) aren't "idiosyncratic".

Re:Good

[TheRaven64]

It's due to apple's instance of posting characters like ' as unicode even if the site is not using unicode

Apple doesn't do this on sites not using unicode. Take a look at the HTML for this page and you will see a meta tag telling you that the encoding is UTF-8. The problem is that Slashdot explicitly advertises that it is unicode, but isn't.

The fact that it doesn't support unicode in 2017, when even my terminal does, is a secondary incompetence.

Surely this is a response to the crypto crash of 2

I look forward to seeing the bull market in crypto that will result from this audacious announcment! Whilst the world decries our movement, the fine open source software people at Mozilla are helping to ensure our freedoms.

Chrome already does

From the article: "Google never announced a formal rule that all new standards/features must work via HTTPS, but its engineers have always implemented recent features to work in secure contexts only"

Loyal Firefox user for over a decade now.

[fishscene]

...and this might be the one thing that gets me off the Firefox bandwagon as it is an incredibly backwards move. TONS of stuff does NOT need https and does not need the overhead HTTPS incurs both in processing time and certificate management. Also, do I really need HTTPS for stuff on my trusted LAN? No? So now I have to jump through hoops to enable developer mode? Just... what are they thinking? What is the recommended fork of Firefox these days? Pale Moon?

Re:Loyal Firefox user for over a decade now.

Basically everything needs HTTPS except reverse proxies on the same machine. Never heard of MITM? Are you fine with attackers/American ISPs injecting JavaScript into non HTTPS pages?

Re:Loyal Firefox user for over a decade now.

[Kernel+Krumpit]

I've tried both Pale Moon and Waterfox. I now use Waterfox as my Default Browser.

Re:Loyal Firefox user for over a decade now.

[Kernel+Krumpit]

Where's that Edit Post button again? Sure I use Waterfox as Default but still keep Firefox around. Both use uBlock Origin and PrivacyBadger. Both cookies.sqlite are easy to copy/replace....

Re:Loyal Firefox user for over a decade now.

[QuietLagoon]

...Just... what are they thinking?...

Who knows if they are even thinking at all. The crowd that currently appears to be in charge at Mozilla seems to have a really strange perception of what the Firefox users want, and a strange perception of security. Yesterday I tried to log into the Mozilla site, but I was not allowed to because I would not let Mozilla persistently store tracking data on my PC. I allowed session cookies, but that wasn't good enough for them. Apparently they wanted access to offline web content storage.

Re:Loyal Firefox user for over a decade now.

Clearly not true. Consider that in my industry (Broadcast) there are many, many little embedded boxes often running really small processors (Tens of MHz with maybe 128K of RAM and possibly as much as half a megabyte of flash), and these things have web interfaces for configuration.

Now the kicker is that these things are never exposed to the internet, but do have life times measured in terms of 10 years or so (You bolt them into the rack, configure them and leave them to do whatever it is they do), so the question becomes how exactly am I supposed to provide HTTPS certificates for them that will work with my (often not very savvy) users PCs and will work in an environment where the customer configures the IP address of the box and there may well be no DNS server.

If I try buying a certificate from a CA, it will expire before the box is retired, and will be tied to some specific IP address or name (You try buying a mainstream cert with expiry 20 years down the line!).

We really need to separate notions of encryption from authentication, AES, even some form of key exchange I could do, certificates not so much (and they do not matter in this case).

Re:Loyal Firefox user for over a decade now.

I'd assume that, like every other new feature, they're thinking "well, Chrome did it."

Re:Loyal Firefox user for over a decade now.

And web based interfaces is an EXISTING feature, which is NOT changing. They're ONLY pushing this for NEW features. Think things like built in RSS, or built in syncing/password managers. Or maybe some new transport agent comes around (much like HTTP/2 did, which requires secure context as well). Opera and Vivaldi have nice sidecars on them to pop up smaller pages, such as feeds or messenger sites. This would also be a "new feature" requiring the "secure context"

Re:Loyal Firefox user for over a decade now.

[Eravnrekaree]

The LAN issue is an interesting one, maybe Firefox should make an exception for the private IP addresses ranges. That would be reasonable. On the other hand, I am all for HTTPS for everything else, even eventually dropping non-SSL support altogether.

Re:Loyal Firefox user for over a decade now.

FTA:
"In addition to enforcing an HTTPS-only rule for new standards/features, Mozilla understands it must change the mind and working habits of day-to-day web developers.

As such, Mozilla also plans to add developer tools to future Firefox releases to enable testing without an HTTPS server. This will help developers deploy HTTPS-friendly sites and apps even for older features (WebVR, Payment Request API, etc.) that have not been implemented in a strict HTTPS-only manner in Firefox."

Re:Loyal Firefox user for over a decade now.

[Obfuscant]

The LAN issue is an interesting one, maybe Firefox should make an exception for the private IP addresses ranges.

You do realize, I hope, that "private IP address ranges" are in the eye of the beholder. Yes, there is a standard set, but if I want to treat 123.123.0.0/16 as "private" there is nothing you can do to stop me.

On the other hand, I am all for HTTPS for everything else

Then you are free to run all your websites using HTTPS only. I run several websites, and not a single one of them needs HTTPS for anything. One of those is for one of those awful universities that gets grant money to do research and then keeps the data secret -- by publishing it on an open website for anyone who wants to look at it. I don't get paid to do this, so I don't get paid to manage certificates because someone gets a bug about how insecure it is to come look at my public data using an unencrypted protocol. OMG, a MITM might substitute fake data! How awful!

Re:Loyal Firefox user for over a decade now.

[Quantum+gravity]

The overhead for SSL is not the encryption. Not on a modern CPU it isn't. Any overhead is due to the extra communication steps to set up the connection. But HTTP 1.1 will do a single handshake and reuse the connection.

"On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10 KB of memory per connection and less than 2% of network overhead. Many people believe that SSL/TLS takes a lot of CPU time and we hope the preceding numbers will help to dispel that." - Adam Langley, Google
See: https://istlsfastyet.com/

Re:Loyal Firefox user for over a decade now.

[Obfuscant]

On our production frontend machines, ... Adam Langley, Google

So, if you have a huge compute infrastructure like Google does, SSL isn't much of a problem. Isn't it wonderful that all the websites in the world are run using massive parallel redundant servers like Google does it?

Re:Loyal Firefox user for over a decade now.

And, as they say in the summary, they hope to move all features to HTTPS only.

Re:Loyal Firefox user for over a decade now.

[msauve]

And how many full time staff does Google employ to handle dns and certificate management?

Re:Loyal Firefox user for over a decade now.

[tepples]

So, if you have a huge compute infrastructure like Google does, SSL isn't much of a problem.

Modern server CPUs contain AES instructions that make TLS bulk encryption efficient. If the computation cost of TLS were a practical problem, you'd be seeing the problem on your client whenever you browse Slashdot, SoylentNews, YouTube, or any other HTTPS site. Any website that's more than a collection of static documents has data storage, application logic, and presentation layers on the server side, and these probably use significantly more CPU time than TLS does.

Re:Loyal Firefox user for over a decade now.

I have Waterfox as a fork

Re:Loyal Firefox user for over a decade now.

[bn-7bc]

Well I dissagree, per default http2 reqires https* and with http2 you get better perfotmance without durty hacks like inlining, load times are actually reduced, ok you pay for it with a bit more CPU usage, and you are right certifivates are neede but how hard it is to ad a cron job to run certbot every n days?
* in their default configs both servers and clients require tls to run http2

Re:Loyal Firefox user for over a decade now.

[Junta]

The question is what domain those embedded boxes are serving. You said yourself, they are never exposed to the internet. So if you *really* need to, you can add a reverse proxy that adds https to the session, with the endpoint being none the wiser. Also if they are never exposed to the internet, using a public CA certificate makes no sense, use a private one deployed to your employee systems. You can control expiry and all that. Or just let the insecure cert roll and use a browser like firefox that will store the exemption rather than requiring the gymnastics of having a CA certificate and managing all that stuff.

Of course, you may not need to, since this only applies to 'new features', which are not things that these devices (or even most web developers in general) will use.

Certificates from a technical perspective can facilitate a superset of key exchange strategies. The whole chaining to a third party down to a small root of public CAs is the sole feature focused on by some browsers, but ssh-style public key blessing is completely possible (and firefox at least manifests this as storing an exemption).

Re:Loyal Firefox user for over a decade now.

[dryeo]

Well Slashdot broke on my dial-up connection when it switched to HTTPS (pages hardly ever fully loaded) as well as a lot of pages suddenly needing reloaded. You depend on the cache a lot more with a 26.4 KBs connection.
Then there is the issue of small timers who want to serve a web page from home, using an old computer and dynamic hostname. Seems like another move to make sure that only large companies can serve content on the internet.

Re:Loyal Firefox user for over a decade now.

[omnichad]

"private IP address ranges" are in the eye of the beholder.

Somewhat true. I mean if you don't want to be able to connect to parts of China, you can use 123.123.0.0/16, but the IP range is defined as public - and registered under APNIC.

Re:Loyal Firefox user for over a decade now.

You wouldn't need to worry if DANE TLSA were already implemented in Firefox. Unfortunately, Mozilla is too self-interested and selfish to actually implement the protocol. They've known about DANE TLSA for almost 7 years and have done NOTHING about it. Instead, they've wasted millions of dollars on the Let's Encrypt project.

Re:Loyal Firefox user for over a decade now.

Isn't this just a good thing? Most if not all the new features in Firefox are crap, so this move provides finally a way to avoid using them. My 15 year old Firefox journey ends when Debian pushes the new 57+ Firefox to my machines. Hopefully the Pale moon gets into Debian before that.

Re:Loyal Firefox user for over a decade now.

[viperidaenz]

If there's no trusted 3rd party, what is the point of encryption?
Unless you have a certificate or a shared secret, how do you know the party on the other end of the encrypted connection is who you think it is, and not a MITM? You don't, so what was the point?

Re:Loyal Firefox user for over a decade now.

So instead of just enabling developer mode, you're going to take extra trouble to switch to another, inferior browser instead? Pff. Ok. #Loyalty #PowerUsers, I guess.

Re:Loyal Firefox user for over a decade now.

[dremon]

HTTPS is not enforced for browsing the normal web sites but for the browser features (like WebRTC for example). Just read the article before complaining.

Re:Loyal Firefox user for over a decade now.

[viperidaenz]

if I want to treat 123.123.0.0/16 as "private" there is nothing you can do to stop me

And when your routing table has a hiccup, there's nothing to stop your "private" request being sent to Chinese servers.
123.112.0.0 - 123.127.255.255 is owned by China Unicom

Re:Loyal Firefox user for over a decade now.

[viperidaenz]

SSL/TLS adds little CPU overhead when your system has hardware accelerated encryption engines to offload the encryption from the CPU
The overhead then becomes a DMA transfer and a kernel context switch.
Or if you're like Twitter (I think, could have be some other big company) you write your own network stack to include the hardware encryption to avoid multiple kernel calls.

Re:Loyal Firefox user for over a decade now.

"Not exposed to the internet" is not quite the same thing as "I get to decide what devices and software the clients use", it is quite possible to set up a wifi network that does not in any sense hook into the internet, and this is even quite useful on something like an OB truck where being able to pull up a web page on your tablet to check a cross-point on an SDI router or the Dolby metadata or the audio level or the uplink SWR and link margin while farting around head down in the wiring bay or on top of the truck does have its uses.
I have certainly done the above on my phone (Which is NOT under the IT departments control thank you very much) and would rather like such things to continue to just work.

The other end of the special purpose device scale might actually use some of the shiny features, something like a multiviewer is in the SMPTE 2022 or 2110 world really just a butch blade server, again no internet connectivity required or desired, probably no DNS, but interactive web pages, oh yes.

Re:Loyal Firefox user for over a decade now.

Well, lets see, if I am running some sort of ephemeral key exchange based thing it completely breaks the 'put a splitter on the fibre and passively record everything as it goes past' model of bulk surveillance which has to be worth something?

You are still exposed to a proper MITM of course, but that scales poorly when it comes to scarfing down all the traffic passing thru a major internet exchange, adhoc, opportunistic encryption (Even if it is fairly weak) is an economic attack on bulk surveillance because it explodes the cost of doing so.

Re:Loyal Firefox user for over a decade now.

[AHuxley]

Re Just... what are they thinking?
Man in the middle. It stops the collection of a users plain text communications along the internet.
The data networks from a users browser to the site, service the user expected, not to be collected by some 3rd party, the ISP.

Re:Loyal Firefox user for over a decade now.

[Obfuscant]

And when your routing table has a hiccup,

Gee, yeah, if I misconfigure my network it won't do what I want it to do. I'm shocked to learn that. Shocked.

I know that block is owned by someone else. That's the point.

Re:Loyal Firefox user for over a decade now.

[fishscene]

And for non-Internet facing Internal websites? The ones that have no need of encryption whatsoever? Remember, this is for web standards going forward. So this isn't an immediate problem, but new web based features are going to get caught in this. For example, if there's a new standard for, say, WebAR (Augmented Reality) and I want to make a webpage where my kids press buttons and different objects appear on their screens. The webpage MUST run over HTTPS. So I'd have to allow both my server and tablet access to the Internet. Or I'd have to manually import a certificate (Many mobile devices don't like doing that indefinitely - so now I'm teaching my kids to do that whenever they see that warning ANYWHERE online. What do they care if it is a website in my home or not?). Or maybe I'd have to run my own CA to authenticate my server to my devices.... it starts to get ugly and cumbersome when all I wanted to do was something fun for the kids.

Re:Loyal Firefox user for over a decade now.

[Quantum+gravity]

"We have deployed TLS at a large scale using both hardware and software load balancers. We have found that modern software-based TLS implementations running on commodity CPUs are fast enough to handle heavy HTTPS traffic load without needing to resort to dedicated cryptographic hardware."
- Doug Beaver, Facebook

Re:Loyal Firefox user for over a decade now.

"...processing time..." ...is insignificant these days.

"...certificate management..." ...is both free and automated these days.

"...trusted LAN..." ...there is no trusted LAN anymore. Every network of significance has already been breached. Many have APTs installed. Therefore hackers have set up shop more or less permanently. And you still think your perimeter defenses are enough??

No decent security specialists or network administrators think that way now. Defense in depth is the new way. Plan to be breached and assume that you already are breached.

Re:Loyal Firefox user for over a decade now.

[AHuxley]

And for non-Internet facing Internal websites?
If a non-Internet facing Internal website was created the skilled staff can also suggest a browser to use their supported network.

Re:Loyal Firefox user for over a decade now.

[Quantum+gravity]

If you are interested there is a simple performance comparison of nonecrypted HTTP 1.1 and encrypted HTTP2 at: https://www.httpvshttps.com/

Re:Loyal Firefox user for over a decade now.

[roca]

Among other reasons for TLS, anything accessible over the Internet via non-TLS HTTP can be hijacked for DDoS attacks via the "Great Cannon": https://en.wikipedia.org/wiki/...

Re:Loyal Firefox user for over a decade now.

[viperidaenz]

Commodity CPU's now have hardware acceleration for AES.
Intel and AMD have had it since 2008 https://en.wikipedia.org/wiki/...

Re:Loyal Firefox user for over a decade now.

I'll put you down on my "never makes a mistake" list.

Attitudes like yours are why stupid designs persist...

Re:Loyal Firefox user for over a decade now.

There's an obvious use case for http without the s. How do you use a sniffer to debug your own connection if everything is encrypted?

Re:Loyal Firefox user for over a decade now.

If you are interested there is a simple performance comparison of nonecrypted HTTP 1.1 and encrypted HTTP2 at: https://www.httpvshttps.com/

Isn't that page really testing HTTP 1.1 and HTTP 2?

I turned off HTTP 2 in the browser and encrypted load time became twice that of the unencrypted.

Re:Loyal Firefox user for over a decade now.

> I run several websites, and not a single one of them needs HTTPS for anything.

YOU may not 'need' it, but I do! I don't want my ISP or anyone else to see exactly, what pages I look at on your sites. With HTTPS all that's known is that I visited your domain but not what individual pages I read!

Re:Loyal Firefox user for over a decade now.

[locofungus]

Firefox (on android at least) already does something very strange with RFC1918 addresses.

I have a VPN to my home network on 192.168.x and a proxy server on 192.168.y.50. This all works fine and I can browse the web.

But firefox will not display any pages on a RFC1918 address, whether or not I go through the proxy, whether or not I set the config setting to leave DNS to the proxy. (the dns server is also in 192.168.y

The one thing I haven't tried yet is have dns serve up a non rfc1918 address to the browser but leave the proxy server getting the correct adress. (or even block DNS completely to the browser as the proxy server sees requests for non-existing domains, just not domains that resolve to rfc1918)

Using a different browser works.

Re:Loyal Firefox user for over a decade now.

The backwards movement started with HTTP2 support only working over SSL. And Chrome also jumped on that bandwagon so expect the EXACT same thing to happen with Chrome and all web browsers based on the firefox and chromium code base.

It's phenomenally stupid to FORCE SSL before a feature is even adopted, because that results in the feature never being enabled by default on servers due to "zero support"

Like, you know what I want to see "forced SSL" on ? webassembly. This baby needs to be drowned in the in bathtub before it turns into the next vector for malware, as it's already a vector for unwanted cryptocurrency miners showing up in ads and hijacked jquery libraries.

Webassembly is a BAD idea, even worse than asm.js. None of this shit should be running in the web browser, WebGL shouldn't even have been a thing. 3D shit in the web browser... with all the security problems of games? webassembly is the next blackbox drm. Thanks a lot you morons.

Re:Loyal Firefox user for over a decade now.

> Well Slashdot broke on my dial-up connection when it switched to HTTPS (pages hardly ever fully loaded)
> as well as a lot of pages suddenly needing reloaded.
> You depend on the cache a lot more with a 26.4 KBs connection.

Normally SSL-fetched pages are, per default, not cached locally! You can override that, however.

Re:Loyal Firefox user for over a decade now.

Clearly you don't use IoT devices.

There is overhead, lots of it, for SSL. The desktop client is generally not the problem, the server is.

Turning on SSL, on 10 and 20 year old servers that are running Linux and FreeBSD, kiss your capacity in half. These servers are often cheaply used by data centers as "cheap" hosting as alternatives to VPS.

VPS are even worse. A VPS is often limited to a single core and 256MB of ram, so the capacity is already constrained to about 20 concurrent users, and turning on SSL on these doubles the memory footprint, thereby cutting capacity in half.

The people at Google and Mozilla have their heads so far up their ass in forcing SSL everywhere that they can no longer see they are forcing people off the web and into "apps" that have to embed their own http2 non-SSL client just to get away from this shit. You can't add SSL to most game/app clients because they bloat the memory foot print since they often support a hundred different types of crypto when they only need to support the one or two parts and none of the obsolete stuff. But because crypto is such a fast moving target, often an obsolete crypto lib is worse than none, because it misleads the user into believing they are protected.

Which is what Firefox and Chrome are offering. Let's Encrypt does absolutely noting against phishing. Many people have been trained not to enter credit cards and passwords into non-SSL sites, so here come the phishing sites that have SSL.

Here's how Firefox, Chrome, et al can solve that , easily. Don't allow "Let's Encrypt" be used for ecommerce. When LE is detected (non-EV certs) intercept credit card/password prompts and tell the user that the SSL cert for this site is not appropriate, and unless you have a trusted relationship with this site (full domain name) do not continue. And place a "Block PI from being saved/entered for this site" button. For the vast majority of sites, this is sufficient, and only sites that manage their accounts externally will be affected (eg porn sites), by which they can either buy an EV cert, or just tell their users to trust the site.

Re:Loyal Firefox user for over a decade now.

How is this any different than Chrome refusing to accept START.com certs? Enforcing these kinds of things is frustrating for lots of end users.

Re:Loyal Firefox user for over a decade now.

[TheRaven64]

The last computer I used where SSL was a noticeable performance hit was a low-end 486sx. When Netflix can saturate two 40GigE network adaptors doing TLS on every connection, with commodity Intel processors, the argument that TLS is expensive needs to die.

Re:Loyal Firefox user for over a decade now.

[TheRaven64]

20-year-old, I might give you. Just. As long as it was a cheap and crappy machine from 20 years ago. 10 years? No chance. A 10-year-old machine is going to be at least a Core 2 Solo, which can handle line-rate TLS on a 100Mbit connection without consuming more than a fairly small amount of CPU. The RAM usage per TLS connection is tiny. It was an issue on machines with 4MB of RAM servicing a few hundred connections, but on your low-end VPS with 256MB of RAM it's trivial.

Most modern IoT devices have hardware AES, so aren't even doing most of the hard work in software, but even doing it entirely in software on something like a Cortex-M3 is very feasible at the kinds of network speeds that these devices can handle.

Re:Loyal Firefox user for over a decade now.

[dotancohen]

TONS of stuff does NOT need https and does not need the overhead HTTPS incurs both in processing time and certificate management.

Of course, those same tons of stuff do not need the latest and greatest Firefox features either. In fact, I would love to trip this "feature" on all websites. I hate websites that kill usability by incorporating all the latest features such as geo tracking, web asm, push notifications, etc.

Re:Loyal Firefox user for over a decade now.

Pale Moon, definitely. I switched last fall and it's been great.

Does this mean we get XUL extentions back?

No? Then we will stick with Waterfox, Pale Moon and Basilisk then. Putting things that require setting up "secure" severs (which aren't anymore due to Meltdown and Spectre) means that enterprises will cling harder to Internet Explorer.

Re:Does this mean we get XUL extentions back?

[ArhcAngel]

This! I tried Waterfox back in 2011 when it was one of the only 64 bit browsers available and never looked back. There are a few 32 bit systems I still need and I wish there were a 32 bit build for them. All the modern features of FF 56 (a new version based on 57 is in the works but it will be a while) none of the tracking nor any of the nanny features Google and Mozilla are forcing on ALL users because some people can't be trusted to not click on that suspicious link.

Re:Does this mean we get XUL extentions back?

[KozmoStevnNaut]

"We" meaning "maybe 100 grumpy neckbeards".

Sigh. I need a proxy.

I badly need a proxy to put in front of firefox to do the heavy lifting (yes, a MITM proxy). Otherwise FF does what it wants and not what I want.

I *hate* authoritarian people. I *hate* authoritarian software *with passion*

SSL is good and all, but shouldn't be mandated

I'll agree that having most of the web SSL is good, but it should not be mandated. Some things just don't need it.

Lets say I make a temperature sensor that serves up a page from a microcontroller with the temperature. You are now mandating that I put an SSL engine into a microcontroller If i want to serve it in some way that makes use of a new web technology?

Re: SSL is good and all, but shouldn't be mandated

That, or you use a reverse proxy that people on the internet talk to.

Re:SSL is good and all, but shouldn't be mandated

[Eravnrekaree]

You have a really good point there. While generally I think its good for internet sites to be compelled to support SSL, there should be a way for the user to create exeption rules in the browser for these situations (as with an self signed cert). With adequate warnings similar to the self signed or expired cert screens. A setting should be included in the advanced section for setting up rules as well to permit non-SSL sites

Re:SSL is good and all, but shouldn't be mandated

It appears that "user choice" has been de-prioritized.

Then is non-standard

[williamyf]

If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...

Come on Mozilla Foundation! Those heavy-handed tactics could work when your market share was about 50%, but not anymore...

JM2C, YMMV

Re:Then is non-standard

Couldn't have said it better.
I'm getting sick and tired of Mozilla trying to be the Web Police. The W3C get to define the standards, Mozilla should damn well follow them.
  At this rate Firefox is gonna end up being like IE6 with web developers having to add in shitloads of workarounds to get stuff to work as expected.
 

Re:Then is non-standard

[tepples]

The W3C get to define the standards

Is this one?

Re:Then is non-standard

[viperidaenz]

There are new standards that are specified to only by run from secure contexts. Service Workers is one of them.

Re:Then is non-standard

[viperidaenz]

The W3C get to define the standards

Is this one?

Specifically this part: 7.4. Restricting Legacy Features

Re:Then is non-standard

The W3C get to define the standards

Is this one?

Specifically this part: 7.4. Restricting Legacy Features

First sentence: "This section is non-normative"

Will this stop nosy overreaching gov & corps?

[Rick+Schumann]

If everything is HTTPS will that stop nosy ISPs and even nosier government agencies (or anyone else for that matter) from snooping? So far as I know, it won't.

Support DANE

Then we can talk.

Re:Support DANE

[WaffleMonster]

Then we can talk.

Rolling out DNSSEC without first addressing DNS amplification is dangerous and irresponsible.

Re:Support DANE

Forcing everybody to use HTTPS is just as reckless when that means almost everybody will rely on a single CA.

Encryption is the new fad

[RightwingNutjob]

Last month bitcoin was the new fad. These silicon valley types must have been drinking too much Raw Water(TM) picked up some brain parasites.

Very little needs to be encrypted or authenticated. Not everything that needs to be encrypted when going through the open internet needs to be encrypted or authenticated when happening on a closed LAN. Encryption isn't for free. SSL certificate management isn't for free. When stepping away from the half of web browser use that happens on the open internet and into the other half that happens on closed networks, it is wasted effort for no benefit.

Re:Encryption is the new fad

[dcollins117]

Very little needs to be encrypted or authenticated.

Then always use encryption so you don't have to think about whether you "need" it or not.

SSL certificate management isn't for free.

Let's Encrypt helps out here. It's not a huge pain in the ass anymore and doesn't cost users money.

The problem I see here is my router and cable modem web interfaces don't support https. I know as I just tested them. These are fairly new devices too.

Re:Encryption is the new fad

[RightwingNutjob]

Let's Encrypt can go fuck itself. If the functionality of your system depends on yet another third party, then it isn't free.

Re:Encryption is the new fad

[Obfuscant]

Then always use encryption so you don't have to think about whether you "need" it or not.

I've already thought about it. For the websites I run, it isn't needed. It isn't worth my time managing certificates for them.

It's not a huge pain in the ass anymore

So it is still a pain in the ass, just not a huge one. See above.

The problem I see here is my router and cable modem web interfaces don't support https.

I connected to the embedded web server in my HP printer for the first time just last night. It did HTTP just fine. Then it demanded to switch to HTTPS because I was going to enter a password. The first thing Firefox did was bitch about the certificate and make me go through the "add exception" process, after puking up the warning about being a bad site. That was possible only because I have an old FF on my system.

Re:Encryption is the new fad

[RightwingNutjob]

Same thing happens to me at work all the time. Some internal website gets served out of a machine that wasn't made to play with our internal CA quite right and I have to hack FF to display it because HTSP is set by the server but the wrong certifiate is being served out. The best use of time and resources (your taxes at work, we're on a US government contract) is not to have a 100/hr IT compliance officer waste his time configuring a server that's going to be used for a week and then wiped again.

Re:Encryption is the new fad

Very little needs to be encrypted or authenticated. Not everything that needs to be encrypted when going through the open internet needs to be encrypted or authenticated when happening on a closed LAN. Encryption isn't for free. SSL certificate management isn't for free.

I would argue most of that.

For LAN use? Yes, that is completely true.

For the Internet? You'd be hard pressed to find a website that you only send GET requests to and never submit any other data, combined with never transferring any data from that website that is used anywhere but within your browser.

Other than those rare exceptions, you at the very least do need to authenticate the website your getting data from is actually where that data is coming from!

As for encryption not being free, well it's as not free as running a web server is not free.
If you are already committed to spending a few minutes getting and configuring a web server to function at all, it's hard to argue the extra couple of minutes to get a certificate is any cost worth mentioning.
It literally costs nothing but a small amount of time, which is dwarfed by the larger amount of time you already believe is OK to spend to get and setup the web server!

The certificate management is similar. The CPU cycles to auto-renew your certificate is dwarfed by the CPU cycles Apache server spends just to idle. It's not like any of YOUR time is required for either, as both are just background daemons that do their thing.

At least I hope you aren't trying to imply money or something is required, as that of course isn't true.

Re:Encryption is the new fad

[KozmoStevnNaut]

On the contrary, I think [b]everything[/b] needs to be encrypted. My traffic is private, no matter if I'm checking my mail or looking up cookie recipes. It does not concern anyone else what I do online.

Re:Encryption is the new fad

[RightwingNutjob]

You're delusional if you think encrypting the channel protects your privacy when you don't control the other endpoint of the channel. Judging by your sig, you're delusional about other things too.

Re:Encryption is the new fad

[KozmoStevnNaut]

ok

Re:Will this stop nosy overreaching gov & corp

"Let's Encrypt" is a US-based service, so no, this will not stop nosy governments.

This press release is garbage

[MobyDisk]

Since the article at bleepingcomputer makes no sense, I went to Mozilla's site. It isn't much better. It says:

Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.

What is "observable from a web page or server?" I get that they are trying to prevent information leakage, but this statement is overbroad. I call B.S. on it.

Mozilla programmers will not waste their time checking if HTTPS is enabled before supporting a new CSS property, or a new SVG feature. That would be a moronic waste of developer time. Heck, I bet they couldn't even implement that if they wanted to. Suppose their audio library or JPEG library or SVG library adds a new format or feature? Are they going to modify the library to check if the connection is secure then selectively disable that code? That would be somewhere between impossible and moronic.

My hope is that this is just a badly worded press release.

Re:This press release is garbage

Looks like you agree this comes from management. Most managers are busy managing programming projects and that's good. It's the idle managers that are dangerous as they need to justify their jobs, so they come up with guidelines like this.

Re:This press release is garbage

LIkely is not always or never. So they don't even know what they're going to restrict in the future thus their statement about all new features is simply a lie.

Re:This press release is garbage

[roca]

Mozilla developers like Anne know more about browser development than you do.

In Gecko, restricting new DOM APIs to secure contexts is simply a matter of adding an attribute to the WebIDL:
https://github.com/mozilla/gec...

Probably something similar will be added to the CSS property list.

There is also a single method you can call on the internal interface of a 'window' object to determine if you're in a secure context.
https://dxr.mozilla.org/mozill...

Selective disabling of new features is already standard practice. New features are almost always guarded by hidden preferences so they can be safely disabled just before release if a showstopper bug turns up, or so that they can be incrementally worked on over multiple releases without being shipped in a half-done state.

There's very little extra work required here.

Router, printer, NAS, and other FQDNless devices

[tepples]

Theres no cost any more to getting an TLS cert

Yes there is. You need a domain, for instance, and it has to be a fully qualified domain name (FQDN), not something like .local from mDNS or .internal from a private DNS server. For example, what would the FQDN of the configuration page of the router, printer, or NAS on your LAN be? Mozilla acknowledged the difficulty of securing such nameless devices on the LAN in "Deprecating Non-Secure HTTP Frequently Asked Questions":

Q. What about my home router? Or my printer?

The challenge here is not that these machines can't do HTTPS, it's that they're not provisioned with a certificate. A lot of times, this is because the device doesn't have a globally unique name, so it can't be issued a certificate in the same way that a web site can. There is a legitimate need for better technology in this space, and we're talking to some device vendors about how to improve the situation.

It should also be noted, though, that the gradual nature of our plan means that we have some time to work on this. As noted above, everything that works today will continue to work for a while, so we have some time to solve this problem.

But since May 2015, when Mozilla published this FAQ, I haven't seen it endorse a solution.

The indieweb people seem to think every householder ought to buy (and continue to renew) a personal domain from a commercial domain registrar. I guess the owner of such a personal domain could allot subdomains of that domain for devices on his own home network and use the DNS challenge of Let's Encrypt to obtain certificates for these devices. Is this practical for most people?

Private IP addresses on which network?

[tepples]

The only issues was Lan IP addresses and maybe an exception should be made for private IP addresses.

You propose to exempt RFC 1918 private internets from requirements related to "Secure Contexts". If Firefox were to go this route, what logic would it contain to distinguish your home network from a probably less secure coffee shop network?

Re:Private IP addresses on which network?

[Junta]

Or to treat private network ips or reserved dns different when it comes to the scary insecure dialogs that the user sees, even if it is still using https but cannot possibly validate a certificate. The key would be the text in the url, not the address so that enterprises can still manage meaningful certificates for RFC 1918 ip addresses.

As it stands, using https without a viable certificate means the user gets scared far more than just doing http. Treating private names/ip addresses running https more like http (no padlock, warnings on all form inputs about insecure submissions, etc) might not be so unreasonable

Re:Private IP addresses on which network?

[tepples]

An "enterprise" can afford either A. use of a fully qualified domain name or B. device management to insert the enterprise's own internal root CA as trusted on enterprise-owned devices. I'm more concerned about home users.

Re:Private IP addresses on which network?

[Strider-]

You're assuming that the enterprise is capable of running equipment capable of speaking https, and more importantly the modern versions thereof. Not everyone keeps updating to the latest and greatest, especialy when that's on a private network with no outside connectivity.

I run a wireless network for a non-profit, it's running a pair of Cisco WLC-4404s for the wireless controllers. I don't have the budget to replace them, and they work perfectly fine for the task we ask of them. You might say "go with ubiquiti! or Meraki, all of those cost more than what I already have, and what I paid, and often have fewer features.

Their admin interface simply can not handle a sha-256 certificate to secure its admin page. But that doesn't matter, because the only place that web page can be accessed from is the administration subnet. Yet the browsers bitch and complain and won't let me pick "Ignore it and remember this forever more" So what have I done? I setup an ngix proxy that connects to them via http, and releases it out over modern https. It's a stupid hack that serves no purpose, adds no security, and only serves to make the browsers happy.

What I should be able to do is check a couple of boxes and basically say "Yes, I know this is insecure as hell, and I don't care." I've already had to stop using chrome because it won't auto-fill passwords for anything except what is perfectly modern security. TLS 1.0? too bad. SHA1 certificates? too bad, so sad, go suck a lemon. So either I hack around it, or I use insecure passwords. both of which are worse solutions.

End rant.

Re:Private IP addresses on which network?

Perhaps it could use the logic that the user chooses?

Re:Private IP addresses on which network?

[tepples]

I'd be interested to see your mock-up of a user interface to mark a particular LAN as trusted or untrusted that even non-technical users can understand.

Re:Private IP addresses on which network?

[Junta]

I was saying specifically that browsers when they see '192.168.' or 'example.local' in https,, they should treat things differently, which would be home user.

Enterprises wanting to meaningfully protect '192.168' addresses would issue certs of their own domain (since certs don't care about IP, but about what is in the url). Even if that domain resolves to 192.168, it would not receive particularly different treatment so long as a normal looking dns name were used to specify it.

Re:Private IP addresses on which network?

[tepples]

I was saying specifically that browsers when they see '192.168.' or 'example.local' in https,, they should treat things differently, which would be home user.

In this case, how can the browser tell home user from malicious coffee shop user?

Re:Private IP addresses on which network?

[Junta]

It wouldn't say "oh yeah, totally secure", but instead say "here's some data, and it's not particularly protected" much like it does for http today, but without the excessively scary "this site is insecure and going to steal from you!", click advanced, click add exemption, click yes I'm sure, click add to exemption list" or whatever dance. But instead maybe just say "this local site cannot have it's security verified, click to continue". Something less obnoxious, but still not going to be a viable channel for phishing..

Cleartext HTTP vulnerable to script injection

[tepples]

I run several websites, and not a single one of them needs HTTPS for anything.

How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.

OMG, a MITM might substitute fake data! How awful!

Thus you answer your own question. It is awful.

Re:Cleartext HTTP vulnerable to script injection

[Anonymous+Brave+Guy]

Which is the greater danger, allowing web access in the clear (note that this does not preclude allowing secured access as well) or creating a single point of failure called "Let's Encrypt" such that if it does fail then suddenly the entire world has to start paying money for certificates or finds their sites no longer work properly?

Re:Cleartext HTTP vulnerable to script injection

Citation needed. Modifying a website is copyright infringement and the couple minor ISPs I heard doing it very quickly stopped.

Not everything needs to be completely secured. Whatever happened to freedom to make your own choices? If you don't want to visit a HTTP site, then use an addon which blocks all of them.

Re:Cleartext HTTP vulnerable to script injection

[tepples]

Via Google Search for comcast injecting javascript , I found this, this, this, and this.

Re:Cleartext HTTP vulnerable to script injection

[tlhIngan]

Which is the greater danger, allowing web access in the clear (note that this does not preclude allowing secured access as well) or creating a single point of failure called "Let's Encrypt" such that if it does fail then suddenly the entire world has to start paying money for certificates or finds their sites no longer work properly?

Not only that, but with Let's Encrypt issuing out certificates so sites can phish, it seems like a good way to avoid all the Paypal and other phishing is to block the Let's Encrypt certificate. (they issued like 14,000 phishing certificates)

Of course, we don't do this because Let's Encrypt is sponsored "by the good guys" (Mozilla, EFF, etc). But if it was some other CA, we'd be blocking them ASAP.

It's only a matter of time before they issue a new wave of certificates to phishing and other scammy sites. Not sure how long until people DO start manually blocking Let's Encrypt to get rid of a bunch of problem sites.

The overhead for SSL is not the encryption. Not on a modern CPU it isn't. Any overhead is due to the extra communication steps to set up the connection. But HTTP 1.1 will do a single handshake and reuse the connection.

No, the overhead in SSL has been the management. Especially inside a LAN context where you have to add your own to the trusted root, and maintain it all everywhere and even then you probably run into an odd device or two that won't allow you to install a certificate.

Re:Cleartext HTTP vulnerable to script injection

[citylivin]

"How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine?"

Considering all users have been trained to click through all these useless security prompts, add website exceptions, and trust any certificates thrown at them, i would be surprised - shocked even - if an invalid certificate made a user so much as pause as they rabidly mash keys trying to make it go away.

Another instance of security professionals being completely oblivious to real world use and human nature.

Re:Cleartext HTTP vulnerable to script injection

Thanks.

Re:Cleartext HTTP vulnerable to script injection

[tepples]

with Let's Encrypt issuing out certificates so sites can phish, it seems like a good way to avoid all the Paypal and other phishing is to block the Let's Encrypt certificate. (they issued like 14,000 phishing certificates)

Why not go a step further to block the domain registrars that issue out domains so sites can phish?

Re:Cleartext HTTP vulnerable to script injection

If Comast is your ISP, they can MITM you and inject ads regardless of HTTP v HTTPS.

Maybe you should learn something about how all this shit works instead of parroting talking points others have put out there.

Re:Cleartext HTTP vulnerable to script injection

[tepples]

If Comast is your ISP, they can MITM you and inject ads regardless of HTTP v HTTPS.

I don't see how. What CA would Comcast use to make the fake certificate for the HTTPS site I'm visiting?

Re:Cleartext HTTP vulnerable to script injection

Their own, and you have the choice of either adding it or not being able to access any HTTPS site.

Re:Cleartext HTTP vulnerable to script injection

[tepples]

the choice of either adding [Comcast's MITM root CA certificate] or not being able to access any HTTPS site.

That's the sort of Hobson's choice that drives subscribers to Frontier, even if Comcast does manage to afford the support staff to walk PC, smartphone, and tablet owners through installing it.

Re:Cleartext HTTP vulnerable to script injection

how does SSL ensure the far more likely scenario of someone having replaced content on the server with fake content.... oh it doesn't? so why the fuck would you bother with SSL for public information when you it is not critical enough to ensure servers are adequately verifiable.

Re:Cleartext HTTP vulnerable to script injection

[bingoUV]

Are there any free domain registrars ? With as little information about the phisher as potentially Let's Encrypt people do ?

Information helps when you want the phisher caught.

Re:Cleartext HTTP vulnerable to script injection

[JMJimmy]

So the SERVER should be using HSTS. The browser should not ignore an instruction to connect via HTTP if that's what is desired.

Re:Cleartext HTTP vulnerable to script injection

[tepples]

the far more likely scenario of someone having replaced content on the server with fake content

Citation needed that intrusion on the server itself is "far more likely".

Re:Cleartext HTTP vulnerable to script injection

How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.

No standard user will recognize a single word of what you just said, or why any of it could be a risk to them. They had their eyes glaze over the second they read the word 'stylesheets'. They don't care nor will they care about any of it. The only exception will be if and only if they get told that's why their system got hacked, and even then they will only care so long as it's the current topic of "why the damn thing is causing me problems". When the next problem comes they will forget anything and everything about it.

A more advanced user would recognize that if authenticity was an issue, not to use the site in question as a reference or source. (Or at the very least, they would recognize the need to verify it's material with another more trusted source.)

A superuser (pun intended) would recognize the error in judgement you made when you decided to base your decision of trust solely on the Identity that the server (or someone else) gave you, using an authority that's installed on every device known to man, and probably requires payment for a new one. They would also recognize that although yes, it is a layer of security, it's also an easily compromised one, where if trust is a real issue, it's use would not cause an uptick in trustworthiness.

TL;DR Standard Users don't care if shit gets modified in transit. More advanced users wouldn't use it if it was important enough to care about. HTTPS as it's currently deployed is useless for real security, except for trivial data where exposure is not too damaging, or it's value is too low for others to bother with.

Re:Cleartext HTTP vulnerable to script injection

[tepples]

How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine?

No standard user will recognize a single word of what you just said, or why any of it could be a risk to them.

That's because I phrased that particular sentence for you, not for non-technical visitors. Phrased for them, it may read as follows:

How do you assure a visitor that the visitor's ISP isn't adding advertisements or false information to your page on its way to the visitor's computer or phone?

Users don't care if shit gets modified in transit.

That used to be the case before accusations of "fake news" made the national news.

If ?

[fahrbot-bot]

This means that if Firefox will add support for a new standard/feature ...

If ? I spend bunches of time with each new release trying to figure out how to disable new Firefox "features".

Re:Router, printer, NAS, and other FQDNless device

[Junta]

He did mention explicitly private addresses.

It is a valid point that https on embedded devices and for unmanaged local networks is pretty awkward, with no one really stepping up to make that use case a bit more friendly (even if it can't be made secure).

It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.

Re: In the words of Paul McCrane....

Creimer YouTube link spam.

Secure Contexts (W3C CR)

[tepples]

If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...

Nor does an implementation comply if the browser implements it over cleartext HTTP but the standard specifies that it shall not work over cleartext HTTP. A growing number of web standards specify such, citing things like the W3C Candidate Recommendation "Secure Contexts".

Those heavy-handed tactics could work when your market share was about 50%, but not anymore...

That'd be a good comeback if plurality browser Chrome weren't also doing it.

Re:Secure Contexts (W3C CR)

[MobyDisk]

Chrome says it is applying this to things like geolocation and encrypted media. Firefox says it applies to CSS color properties. Chrome explicitly ignored these rules on localhost, Firefox didn't.

Re:Secure Contexts (W3C CR)

[roca]

Firefox hasn't applied the new approach to anything yet. Neither has Chrome. Chrome will probably follow Firefox's lead here.

Note that Anne's guidelines explicitly make an exception to allow a feature to work in insecure contexts if another major browser (Chrome) is already doing so. Mozilla isn't going to do anything suicidal like stop features from working in Firefox when they work in Chrome.

What process sandbox?

[tepples]

Can't be Chrome since it is less secure than Firefox, even pre-Quantum.

Since when did Firefox start using OS-level process sandboxing the way Chromium and Google Chrome do?

Re:What process sandbox?

https://wiki.mozilla.org/Security/Sandbox

It's not yet as tight as Chromium's sandboxing, and they don't use the same number of processes, but it's definitely there. It's been there for quite a long while now, even in the stable releases, but it was disabled for users with incompatible legacy addons/accessibility solutions until Firefox 57.

Re:What process sandbox?

[roca]

Since last year.

comcarp payed them so $10 device /outlet ipv6

[Joe_Dragon]

comcarp payed them so it will cost you $10 device /outlet on ipv6 and it will get an FQDN over the Comcast gateway (must rent at $12/mo) with IPV6 DHCP

Re:Router, printer, NAS, and other FQDNless device

[Octorian]

Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.

Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?

The "local network devices" problem is a real problem, and its never given proper attention in these HTTPS proclamations.

I "solved" it for myself by setting up a local CA to make certs for my stuff. Unfortunately, getting the cert for that CA into all my browsers is annoying, and can introduce its own share of issues.

False sense of security from self-signed cert

[tepples]

It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.

Cleartext HTTP gives the user a true sense of insecurity, as the scheme portion of the URL doesn't say https. Self-signed HTTPS gives the user a false sense of security, as it increases the chance for MITM to intercept the connection, unless the user has already verified the certificate fingerprint out of band. (It shares this false sense of security with SSH servers that don't publish server key fingerprints elsewhere.) I guess Mozilla considers the sense important to users' privacy and safety.

Re:False sense of security from self-signed cert

[bn-7bc]

I agree, self signed certificates pose a problem, at least for things that are publicly avalble, which is why all browsers warn about them. The embeded problem however is ,as pointed out, a harder nut to crack. Sadly I have no idea on even where to start on that one.

Re:False sense of security from self-signed cert

[Junta]

There is a large part of the browser using population that never bothered to understand the significance of the url. Back 20 years ago, it was a pretty fundamental concept to know, nowadays they are hidden behind links, no one ever *types* https (they just hit a domain or google search), and url shorteners in twitter have trained people that urls are indecipherable. They even *hide* http:/// portion of url if not https:/// so that opens the door of hiding https:/// portion of url if the url is insecure.

Re:False sense of security from self-signed cert

[Junta]

My suggestion:

-http:// should be at least as scary as self-signed cert, because a large contingent of users have no idea about the significance of that part of the url because they never had need to understand
-If contending with a legitimately global domain name (even if it resolves to a private address) or globally valid ip, then let fly with the paranoid messages
-If contending with 192.168/16, 172.16/12, or 10/8 (literally in the url given, not based on what DNS might resolve to), or a name that ends in .local or .test, behave more like ssh (that prompts, but makes it super easy to store that exemption). Firefox comes closest, but it nags you like crazy, it should be a single button that says 'add and continue'. Could also add fd::/8 to the list, though I'm doubtful that many folks are using IPv6 by ip in a browser url for 'quick and dirty' access to something.

system behind reverse proxies do not run https

[Joe_Dragon]

system behind reverse proxies do not run https in all places

So I have to put severs IPMI on the internet so th

[Joe_Dragon]

So I have to put severs IPMI on the internet so maybe use Let's Encrypt (with maybe auto renew) or just keep them offline and manually update certs all the time on each on

Re:Router, printer, NAS, and other FQDNless device

[tepples]

Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.

What is the web server itself running on if not "a general-purpose computer"? If a special-purpose computer locked down to run only particular web server software, this particular web server software can include an ACME client. Certbot is not the only ACME client that can retrieve a certificate from Let's Encrypt or another ACME CA.

Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?

No. The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the software package that runs the web server in said device.

The real problem is configuring which domain a device uses, as Let's Encrypt issues only 20 certificates per domain per week under a particular registrable domain based on Mozilla's Public Suffix List. And I'm told it takes months for a dynamic DNS host or other subdomain provider to get onto that list. But if you manufacture hardware devices or publish commercial software, as opposed to gratis software that a user can install on a generic computer, you can do what Plex did: become a reseller for some trusted CA to issue certificates for subdomains of your domain.

Re: Router, printer, NAS, and other FQDNless devic

COMODO had reseller programs to get Certs for less than $3/yr depending on volume.

I buy my certs from GoGetSSL.com and can get very basic certs for around $6/yr.

Re:Router, printer, NAS, and other FQDNless device

Q. What about my home router? Or my printer?

Don't worry--they'll just do some shitty hack like requiring you to use your router as your DNS server and then intercepting requests for https://mylocalrouter.com/ and point it to 192.168.1.1. At least until DNSSEC is fully implemented and it can't inject that crap into the global DNS space. But by then *every* router and printer will be a 'cloud router' and 'cloud printer' that can only be managed online through a website for a small nominal monthly fee...so you won't have to worry about it.

Clients cache HTTPS

[tepples]

The web browser caches resources delivered through HTTPS the same way as resources delivered through cleartext HTTP. The only thing you lose is being able to cache on an intermediate proxy, but that is relevant if you're splitting one dial-up connection among multiple clients.

Then there is the issue of small timers who want to serve a web page from home, using an old computer and dynamic hostname.

File a support ticket with your dynamic DNS provider to request addition to the Public Suffix List. If a dynamic DNS provider is on the Public Suffix List, Let's Encrypt issues 20 certificates per customer per week instead of 20 per provider per week. The other benefit of being on the PSL is that sites on the same dynamic DNS provider can't see each others' cookies.

Re:Router, printer, NAS, and other FQDNless device

[viperidaenz]

My ISP supplied me with a Fritzbox for a router. They have Let's Encrypt support in their current beta firmware.
Although they still give people shitty netgear routers if they don't have gigabit plans...

DNS registries and registrars

[tepples]

If the functionality of your system depends on yet another third party, then it isn't free.

DNS registries and registrars are third parties. What makes a CA any different from DNS in this respect?

Re:DNS registries and registrars

[RightwingNutjob]

On your own private LAN, you don't need either. You can make it all work with packets over port 80 and you can serve out webpages with nothing fancier than ethernet chip and a PIC16.

Re:DNS registries and registrars

[tepples]

How many "new Firefox features" is a site on a server with such limited resources going to use?

Re:DNS registries and registrars

[RightwingNutjob]

Probably very few. But it will already show up with an unsecure site warning. And who knows...maybe plain old HTML will be next on the chopping block.

Re:So I have to put severs IPMI on the internet so

[tepples]

If you don't want to expose your server to the Internet, you can use Let's Encrypt with an ACME client that supports the DNS challenge instead of the HTTP challenge.

Re:Router, printer, NAS, and other FQDNless device

Good luck getting ISP's to support your personal domain with fixed IP's and open ports.

Lies, damn lies, & first lie wasn't exactly a

People need to remember that non-mainstream browser numbers are usually distorted, due to the incentives for less-popular browsers to send user-agent strings to masquerade as more popular browsers. So, you can't believe the numbers themselves. But you probably can somewhat infer relative popularity. The whole reason the numbers get polluted, is because some browsers aren't popular enough to have the clout to use their own name. So it's simultaneously real and unreal.

That said, I can't imagine why the fuck Safari would do that. I bet the above numbers are just plain wrong, or else taken from some site whose content doesn't fit with the Safari user niche. (e.g. perhaps the numbers were taken from a site that does Android SDK downloads or has Visual Basic documentation.) On my non-technical site (content doesn't have a bias toward users having any particular software) Safari measures (for whatever that's worth; see 1st paragraph) at 34%.

Re:Router, printer, NAS, and other FQDNless device

[unrtst]

Theres no cost any more to getting an TLS cert

Yes there is. You need a domain, for instance, and it has to be a fully qualified domain name (FQDN), not something like .local from mDNS or .internal from a private DNS server. For example, what would the FQDN of the configuration page of the router, printer, or NAS on your LAN be?

You do not need your own top level domain (example.com). You can get a FQDN for free under other existing domains.
That said, you have a point, since that would significantly lower the level of trust (if you own the domain, the registrar could steal it out from under you, so you have to have some trust in them; if you get a subdomain off a third party, they can easily steal your subdomain, so you would have to trust them not to do so).

That risk is probably why the market for free FQDN's isn't very big. Most people that need one would rather just buy one for the few bucks a year it costs.

Warning versus forbid

[Tablizer]

I'm okay with a warning mechanism, such as yellow bar, or a pop-up confirmation that has a "do not show this message for this site any more" option. But to outright not allow, or repetitious prompts is too much. The little guy can't afford a fricken certificate.

Re:Warning versus forbid

[Strider-]

This is especially true when it comes to password storage mechanisms. Chrome will outright refuse to enter username/password pairs into websites if the SSL certificate isn't perfect. It will do it for http, and working https, but won't do it for broken https. Yes, it's broken, but we the users should have the choice here, someof us are administerring gear on airgapped/firewalled networks where supporting the latest and greatest SSL standard isn't a huge priority, and/or getting updates to the old equipment is not going to happen for financial reasons, or because the provider simply no longer exists.

Re:Router, printer, NAS, and other FQDNless device

[jrumney]

The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the software package that runs the web server in said device.

Does letsencrypt.org issue certificates for private IP addresses now? Most such devices limit their configuration interface to the internal facing interfaces.

Re:Will this stop nosy overreaching gov & corp

[AHuxley]

Mil, security services have the keys so nothing stops them from collect it all over any generation of tech.
Police who get ISP logs will be the interesting change.
ISP will have to get some new skills if they want to keep looking over a users communications.
Ad will have to change and become part of a site in some way.

SSL certificate signing

[OrangeTide]

Ultimately it's a flawed system that is more about making money for the handful of Certificate authorities than about providing security to your average home user. Forcing everyone to HTTPS doesn't do much more than highlight CAs as the chokepoint of the Internet.

Re:Router, printer, NAS, and other FQDNless device

[tepples]

You can get a FQDN for free under other existing domains.

But then you're more likely to run into CA-imposed rate limits because many subdomain providers aren't on the Public Suffix List yet.

Re:Router, printer, NAS, and other FQDNless device

[tepples]

Hosts on a personal domain need not accept connections from the public. If the domain needs a public presence, it can be hosted on some cheap static site host.

Re:Router, printer, NAS, and other FQDNless device

[tepples]

Let's Encrypt will issue a certificate to the domain owner even if the hostname in the certificate is not the hostname of a server reachable through the Internet. For unreachable hosts, Let's Encrypt verifies domain control through the ACME dns-01 challenge, which requires putting a temporary TXT record in your domain's DNS zone.

Open Source Saboteurs

For a long time now, I've been thinking: how do corporations like Microsoft, Google, Apple, et al, compete with the burgeoning open source movement? The only answer I can come up with is the old MSFT "embrace and extinguish". These guys with all their money can easily buy out and pay for people to infiltrate and then royally screw over what were once great open source programs. How else can anyone explain wtf Mozilla has been doing for the last few years? (Serious question, btw. I would appreciate your answers so I can unweld this tinfoil hat.) It should be easy to spot Open Source Saboteurs. Mozilla's executive board are clearly bought and paid for in my view, as is Lennart Poettering. More care needs to be take to expose other Open Source Saboteurs.

Why this unseemly haste?

Been bothering me for a while now. Why are the massive corporations so desperate to get us ALL on https? So desperate they're giving it away for free? Sure, secure comms are an instrinsically good idea in theory. But a lot of the Internet doesn't actually need it. Unless, of course, you want to close the Internet so that individuals and small entities can no longer play in future...

For a corallary, look at the old movie industry in the early 20th century. Anything went! But then the money moved in and took over...

So Only Google

...uses Intel, or AMD, or Power, or ARM, or SPARC processors?

Seriously, an el-cheapo Chinese smartphone has enough processor power to run SSL. A Raspberry Pi has enough CPU. An Xbox or PS/3 controller has enough CPU!

What are you using, a Lego CPU? Oh, wait, that still has enough horsepower to run SSL!

Re:Lies, damn lies, & first lie wasn't exactly

[tepples]

On my non-technical site (content doesn't have a bias toward users having any particular software) Safari measures (for whatever that's worth; see 1st paragraph) at 34%.

Safari is currently Mac-only among desktop platforms. I'd be surprised if over 34 percent of visitors to your site use a Mac. Or are you counting Safari for iOS in your 34 percent? Rick Schumann doesn't appear to be.

Mozilla refused to fix MITM

And Mozilla refused to fix HTTPS MITM.

You could write your own ACME client

[tepples]

even "free" things like Let's Encrypt are not free. They will not give me a cert. What they will do is let me run their software which will magically do the cert shit for me.

Or you could read the published specification for Automatic Certificate Management Environment (ACME) and write your own such software.

Re:You could write your own ACME client

even "free" things like Let's Encrypt are not free. They will not give me a cert. What they will do is let me run their software which will magically do the cert shit for me.

Or you could read the published specification for Automatic Certificate Management Environment (ACME) and write your own such software.

No way I'd trust those guys. I only trust self-signed certs

Secure context is more than encryption

It also protects against spoofing servers, MITM (Man in the Middle) attacks, altering / faking / changing content in-transit (as AT&T / Verizon has done in the past).

Probably they think this is more about protecting their users than just ensuring the data can't be seen by prying EYE5.

Thank you for the info on Waterfox... apk

See subject: I like Waterfox (& CyberFox + PaleMoon too) so I look forward to a new FF 57++ engine stripped of tracking/advertising (or other unwanted in/out bound communique in 'modern browsers' (advertising & tracking engines)).

* Again, thanks!

APK

P.S.=> All the 3rd party modders of FF (especially for 64-bit do a really good job of it & I use them (w/ classic Opera + Vivaldi too))... apk

Re:Will this stop nosy overreaching gov & corp

[roca]

It makes snooping much more expensive and it makes passive undetectable snooping impossible. To snoop, they have to install software on the user's computer, or the target server, or else get a CA to generate a certificate they can use to MITM the connection. All of these things are expensive to do at scale, and detectable. In the latter case, the bad certificate can be recorded and constitutes proof of the CA's misbehavior; if a rogue CA is found to have misissued a certificate, there are consequences, as Symantec and Startcom found out.

Re:Router, printer, NAS, and other FQDNless device

[jrumney]

And this helps home routers how?

HTTP

From my cold, dead hands.

Intel CPU overhead

Using an Intel CPU for encryption probably now incurs significant overhead.

Re:Router, printer, NAS, and other FQDNless device

Sorry, what DNS zone is being used in a general private network???

Re:Will this stop nosy overreaching gov & corp

[iggymanz]

Nope, SSL ciphers fall all the time, fresh vulnerabilities, fresh attacks. Can't assume passive snooping is impossible.

Re:Router, printer, NAS, and other FQDNless device

[tepples]

A split-horizon public dummy mirror with the same hostnames as the private network.

Re:Router, printer, NAS, and other FQDNless device

[tepples]

The home router firmware would presumably use the ACME dns-01 or http-01 challenge to obtain a certificate from Let's Encrypt for the hostname (not the IP address) that the user has entered into its configuration. Even if the hostname has no public CNAME, A, or AAAA record, the DNS zone can still contain the TXT record that dns-01 requires.

Re:Router, printer, NAS, and other FQDNless device

> ...[short-lived TLS certs] are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts. ... Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?

So use some software that implements ACME that happens to meet your needs? ACME's DNS Identifier Validation Challenge method seems to be tailor-made for just your situation: https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-8.5

Run your ACME client on a full-featured computer, save the certs that LE sends to you, then feed them to the automation scripts for whatever method you use to get TLS certs onto your modem/WAP/printer/whatever. (You _do_ know that there are tools out there that can manually enter SSH passwords for you, or even script clicking on or typing into a web page, right?)

some ipmi still use java only others html5

[Joe_Dragon]

some ipmi still use java only others the html5 part is missing a few things that the java one can do.

Re: Lies, damn lies, & first lie wasn't exactl

Most people don't realize that they're being ripped off so badly.

None of their platforms are actually the most popular in terms of market and have less than most companies have in market share. They just get a lot of money from them. 3% isn't unexpected considering how gimp their browsers are (why focus on it? You can Rob then going inside the store)

Re:Lies, damn lies, & first lie wasn't exactly

[gravewax]

the percentage of less popular browser users that actually change their user agent would not even amount to a rounding error. at 34% whether you think so or not your site is either a statistical anomaly or you do have a significant bias towards Apple users as even with mobile devices you are unlikely to climb much beyond 20% without some sort of bias as apple marketshare is just too small overall to account for a 3rd of users.

Re:Router, printer, NAS, and other FQDNless device

[thegarbz]

You're describing a non-issue while ignoring the real issue.

Let's Encrypt works by scripting. If you're doing it manually you're doing it wrong. The problem should be scripted around. However .... the real issue is that you can't issue a certificate to an IP address or to local domains. The problem isn't Lets Encrypt, the problem is there's literally no one who would give you the certificate you need.

What is needed is either some protocol change to allow this to be done in a different way, or some simple and and universal easy method to run your own CA for these purposes along with the ability to upload the cert. Or maybe devices should come with a universal certificate that never expires and on first access needs to be manually imported. Think of it like SSH.

Re: Lies, damn lies, & first lie wasn't exactl

[Wootery]

-1 Incoherent.

What on Earth are you trying to say, AC?

Re:Router, printer, NAS, and other FQDNless device

[TheRaven64]

No, they issue certificates for domains, not IP addresses. If you want to get certificates for home network devices, then the simplest thing to do is set up a subdomain like home.example.com and point a public wildcard DNS record at a machine running acme-client. Configure all of the subdomains of that you want (e.g. printer.home.example.com) and have the deploy script push them to the things on your local network. On your local network, provide a DNS server via the DHCP reply which gives local addresses for printer.home.example.com, rather than the publicly routable one.

Re:Router, printer, NAS, and other FQDNless device

[TheRaven64]

You really want to integrate this with the DHCP response (though that's also not authenticated in any way). The problem with .local is that names in that namespace are not guaranteed to be unique. mycomputer.local probably exists on hundreds of LANs and the point of a DNS cert is to prove that your endpoint is who it says it is.

A good first step would be for the DHCP response to include a root cert that can be used only for things on the current network. Ideally, you probably also want something integrated with mDNS so that devices that publish their names via mDNS can also publish their cert via the same mechanism and have other parties automatically reject names if the signing cert changes. Neither of these mechanisms is very secure, but they both probably better than nothing - at least they give you reasonable protection against passive eavesdroppers.

Re:Router, printer, NAS, and other FQDNless device

[jrumney]

I'm sure my 82 year old father in-law will have no problem registering his own domain name, configuring public and private DNS servers and setting up his acme-dns client. Thanks for making life easier for him.

Apple makes huge profit on small, rich user base

[tepples]

Anonymous Coward is trying to say that despite Apple's user base not being the largest, it has been successful at making a large profit from a smaller, richer user base. In some years, it has earned over 90 percent of all smartphone profit. Thus despite a smaller number of people using Safari, these users on the whole make more purchases in larger amounts.

Re:Router, printer, NAS, and other FQDNless device

[TheRaven64]

Nice straw man. Why is your 82-year-old father-in-law doing configuring web servers on his local network if he finds these things so difficult? Oh, right, he isn't, he's buying off-the-shelf equipment that handles this stuff automatically for him.

Re:Lies, damn lies, & first lie wasn't exactly

It is not just bias towards technical content. you probably either target the hippy crowd or the young/deluded crowd, rich youth, i.e. people with more money then brains where the apple percentage could actually reach 34%. 34% is insanely high number for safari and doesn't make any sense unless your numbers are wrong or you are targeting Apple users in some way.

Re:Router, printer, NAS, and other FQDNless device

[jrumney]

The straw man here is your imaginary world in which "off-the-shelf equipment handles this stuff automatically for him"

Re:Router, printer, NAS, and other FQDNless device

[TheRaven64]

Have you actually bought any consumer network equipment in the past decade? Most of the things I've bought handle https already. Even a cheap (under £10) TP-Link WiFi router does (via a fairly complex dance involving public DNS records). My ISP-provided router does with a self-signed cert that I have to explicitly mark as trusted (but which is then pinned). The manual config is only an issue if you're manually configuring your own intranet server, and if you're doing that then you should know what you're doing.

Re:Apple makes huge profit on small, rich user bas

[Wootery]

Good work. What difference a username makes.