Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com)

Posted by msmash on from the to-a-safer-world dept.

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.

6 of 243 comments (clear)

  1. Loyal Firefox user for over a decade now. by fishscene · · Score: 5, Insightful

    ...and this might be the one thing that gets me off the Firefox bandwagon as it is an incredibly backwards move. TONS of stuff does NOT need https and does not need the overhead HTTPS incurs both in processing time and certificate management. Also, do I really need HTTPS for stuff on my trusted LAN? No? So now I have to jump through hoops to enable developer mode? Just... what are they thinking? What is the recommended fork of Firefox these days? Pale Moon?

    1. Re:Loyal Firefox user for over a decade now. by Obfuscant · · Score: 2, Insightful

      The LAN issue is an interesting one, maybe Firefox should make an exception for the private IP addresses ranges.

      You do realize, I hope, that "private IP address ranges" are in the eye of the beholder. Yes, there is a standard set, but if I want to treat 123.123.0.0/16 as "private" there is nothing you can do to stop me.

      On the other hand, I am all for HTTPS for everything else

      Then you are free to run all your websites using HTTPS only. I run several websites, and not a single one of them needs HTTPS for anything. One of those is for one of those awful universities that gets grant money to do research and then keeps the data secret -- by publishing it on an open website for anyone who wants to look at it. I don't get paid to do this, so I don't get paid to manage certificates because someone gets a bug about how insecure it is to come look at my public data using an unencrypted protocol. OMG, a MITM might substitute fake data! How awful!

  2. Re:Good by Anonymous Coward · · Score: 2, Insightful

    STOP POSTING WITH YOUR IPHONE

  3. Then is non-standard by williamyf · · Score: 3, Insightful

    If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...

    Come on Mozilla Foundation! Those heavy-handed tactics could work when your market share was about 50%, but not anymore...

    JM2C, YMMV

    --
    *** Suerte a todos y Feliz dia!
  4. Encryption is the new fad by RightwingNutjob · · Score: 3, Insightful

    Last month bitcoin was the new fad. These silicon valley types must have been drinking too much Raw Water(TM) picked up some brain parasites.

    Very little needs to be encrypted or authenticated. Not everything that needs to be encrypted when going through the open internet needs to be encrypted or authenticated when happening on a closed LAN. Encryption isn't for free. SSL certificate management isn't for free. When stepping away from the half of web browser use that happens on the open internet and into the other half that happens on closed networks, it is wasted effort for no benefit.

  5. Cleartext HTTP vulnerable to script injection by tepples · · Score: 4, Insightful

    I run several websites, and not a single one of them needs HTTPS for anything.

    How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.

    OMG, a MITM might substitute fake data! How awful!

    Thus you answer your own question. It is awful.