Slashdot Mirror
Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com)
An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.
"Anne van Kesteren, a Mozilla nanny"
FTFY.
"National Security is the chief cause of national insecurity." - Celine's First Law
...and this might be the one thing that gets me off the Firefox bandwagon as it is an incredibly backwards move. TONS of stuff does NOT need https and does not need the overhead HTTPS incurs both in processing time and certificate management. Also, do I really need HTTPS for stuff on my trusted LAN? No? So now I have to jump through hoops to enable developer mode? Just... what are they thinking? What is the recommended fork of Firefox these days? Pale Moon?
STOP POSTING WITH YOUR IPHONE
This! I tried Waterfox back in 2011 when it was one of the only 64 bit browsers available and never looked back. There are a few 32 bit systems I still need and I wish there were a 32 bit build for them. All the modern features of FF 56 (a new version based on 57 is in the works but it will be a while) none of the tracking nor any of the nanny features Google and Mozilla are forcing on ALL users because some people can't be trusted to not click on that suspicious link.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
As opposed to what, exactly? Chrome, which almost certainly has as much Google spyware baked into it as a Huiwei-made smartphone? Miscreant-o-soft 'Edge', and it's associated 'telemetry' (read as: spyware)? Any of the fringe browsers, which are likely to be garbage and full of malware, too? Firefox is just as likely to be the cleanest in that regard.
If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...
Come on Mozilla Foundation! Those heavy-handed tactics could work when your market share was about 50%, but not anymore...
JM2C, YMMV
*** Suerte a todos y Feliz dia!
If everything is HTTPS will that stop nosy ISPs and even nosier government agencies (or anyone else for that matter) from snooping? So far as I know, it won't.
Then we can talk.
Rolling out DNSSEC without first addressing DNS amplification is dangerous and irresponsible.
So, what browser do you use? Can't be Chrome since it is less secure than Firefox, even pre-Quantum. So, what do you use? Can't be Safari? It's based on very broken Webkit. What do you use? We need to know so we can all switch to it.
Last month bitcoin was the new fad. These silicon valley types must have been drinking too much Raw Water(TM) picked up some brain parasites.
Very little needs to be encrypted or authenticated. Not everything that needs to be encrypted when going through the open internet needs to be encrypted or authenticated when happening on a closed LAN. Encryption isn't for free. SSL certificate management isn't for free. When stepping away from the half of web browser use that happens on the open internet and into the other half that happens on closed networks, it is wasted effort for no benefit.
You responding to the wrong AC. Easy mistake to make.
I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy. Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS. The only issues was Lan IP addresses and maybe an exception should be made for private IP addresses. For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually requiring SSL of all web sites
Since the article at bleepingcomputer makes no sense, I went to Mozilla's site. It isn't much better. It says:
Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR. In contrast, a new CSS color keyword would likely not be restricted to secure contexts.
What is "observable from a web page or server?" I get that they are trying to prevent information leakage, but this statement is overbroad. I call B.S. on it.
Mozilla programmers will not waste their time checking if HTTPS is enabled before supporting a new CSS property, or a new SVG feature. That would be a moronic waste of developer time. Heck, I bet they couldn't even implement that if they wanted to. Suppose their audio library or JPEG library or SVG library adds a new format or feature? Are they going to modify the library to check if the connection is secure then selectively disable that code? That would be somewhere between impossible and moronic.
My hope is that this is just a badly worded press release.
Theres no cost any more to getting an TLS cert
Yes there is. You need a domain, for instance, and it has to be a fully qualified domain name (FQDN), not something like .local from mDNS or .internal from a private DNS server. For example, what would the FQDN of the configuration page of the router, printer, or NAS on your LAN be? Mozilla acknowledged the difficulty of securing such nameless devices on the LAN in "Deprecating Non-Secure HTTP Frequently Asked Questions":
But since May 2015, when Mozilla published this FAQ, I haven't seen it endorse a solution.
The indieweb people seem to think every householder ought to buy (and continue to renew) a personal domain from a commercial domain registrar. I guess the owner of such a personal domain could allot subdomains of that domain for devices on his own home network and use the DNS challenge of Let's Encrypt to obtain certificates for these devices. Is this practical for most people?
What about apache, nginx, postrgresql, vlc, do I need to go on?
Not all content requires people's information to be transmitted over the wire.
"Not to mention all the idiots who use words like boxen."
Anonymous Coward on Monday August 04, @06:49PM
The only issues was Lan IP addresses and maybe an exception should be made for private IP addresses.
You propose to exempt RFC 1918 private internets from requirements related to "Secure Contexts". If Firefox were to go this route, what logic would it contain to distinguish your home network from a probably less secure coffee shop network?
So what do you use? Chrome, which is turning into the IE6 of the web now pushing all this proprietary Chrome-only markup, and arrogantly spawns a dozen or more background task on your computer bringing it to its knees?
I'm seeing lots of Chrome die-hards give it the boot and go to Firefox as a result. And the new Firefox 57 is faster than Chrome, so there's an added bonus.
Firefox has its faults, but if you're insulting it and using Chrome instead then you're just being a huge hypocrite. Chrome gets more press and is pushed on people via sneaky trojan bundling deals that got Microsoft in trouble when they pulled that same shit, but that doesn't make it the better browser.
You know whst, I nly see this problem on slashdot so either
1:The only posts from people using Iphone (any ios device realy) I see is on slashdot
2: there is somthing wrong somewhere in slashdot
I run several websites, and not a single one of them needs HTTPS for anything.
How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.
OMG, a MITM might substitute fake data! How awful!
Thus you answer your own question. It is awful.
As opposed to what, exactly? ...Any of the fringe browsers, which are likely to be garbage and full of malware, too?
Does Opera count as fringe? I'm in Chrome right now (at work), but Opera's my main browser at home. It'll run indefinitely on my Win10 box without leaking or crashing while browsing CNN, Facebook, Youtube, Xvideos, Slashdot, Pandora, Netflix, Plex, etc. I'd be very surprised to learn there was malware incorporated.
He's getting rather old, but he's a good mouse.
We need to know so we can all switch to it.
Lynx's security is second to none.
He's getting rather old, but he's a good mouse.
He did mention explicitly private addresses.
It is a valid point that https on embedded devices and for unmanaged local networks is pretty awkward, with no one really stepping up to make that use case a bit more friendly (even if it can't be made secure).
It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.
XML is like violence. If it doesn't solve the problem, use more.
If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...
Nor does an implementation comply if the browser implements it over cleartext HTTP but the standard specifies that it shall not work over cleartext HTTP. A growing number of web standards specify such, citing things like the W3C Candidate Recommendation "Secure Contexts".
Those heavy-handed tactics could work when your market share was about 50%, but not anymore...
That'd be a good comeback if plurality browser Chrome weren't also doing it.
Can't be Chrome since it is less secure than Firefox, even pre-Quantum.
Since when did Firefox start using OS-level process sandboxing the way Chromium and Google Chrome do?
comcarp payed them so it will cost you $10 device /outlet on ipv6 and it will get an FQDN over the Comcast gateway (must rent at $12/mo) with IPV6 DHCP
Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.
Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?
The "local network devices" problem is a real problem, and its never given proper attention in these HTTPS proclamations.
I "solved" it for myself by setting up a local CA to make certs for my stuff. Unfortunately, getting the cert for that CA into all my browsers is annoying, and can introduce its own share of issues.
It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.
Cleartext HTTP gives the user a true sense of insecurity, as the scheme portion of the URL doesn't say https. Self-signed HTTPS gives the user a false sense of security, as it increases the chance for MITM to intercept the connection, unless the user has already verified the certificate fingerprint out of band. (It shares this false sense of security with SSH servers that don't publish server key fingerprints elsewhere.) I guess Mozilla considers the sense important to users' privacy and safety.
system behind reverse proxies do not run https in all places
So I have to put severs IPMI on the internet so maybe use Let's Encrypt (with maybe auto renew) or just keep them offline and manually update certs all the time on each on
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
In addition, even when "people's information" is not "transmitted over the wire", the viewer's ISP can still inject advertisement scripts into a cleartext HTTP connection.
Chrome 58.90%
Firefox 13.29%
Internet Explorer 13.00%
Edge 3.78%
Safari 3.42%
Sogou Explorer 1.68%
Opera 1.57%
QQ 1.35%
UC Browser 0.73%
Yandex 0.63%
Looks pretty fringy to me.
Two things, A) he's obviously a troll B) out of all 4 of those only vlc is desktop software
Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.
What is the web server itself running on if not "a general-purpose computer"? If a special-purpose computer locked down to run only particular web server software, this particular web server software can include an ACME client. Certbot is not the only ACME client that can retrieve a certificate from Let's Encrypt or another ACME CA.
Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?
No. The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the software package that runs the web server in said device.
The real problem is configuring which domain a device uses, as Let's Encrypt issues only 20 certificates per domain per week under a particular registrable domain based on Mozilla's Public Suffix List. And I'm told it takes months for a dynamic DNS host or other subdomain provider to get onto that list. But if you manufacture hardware devices or publish commercial software, as opposed to gratis software that a user can install on a generic computer, you can do what Plex did: become a reseller for some trusted CA to issue certificates for subdomains of your domain.
Yeah, anything beyond the top 5 I'm happy to call "fringe". So, according to you, that makes it "likely to be garbage and full of malware". I believe Opera's neither garbage nor full of malware.
He's getting rather old, but he's a good mouse.
The web browser caches resources delivered through HTTPS the same way as resources delivered through cleartext HTTP. The only thing you lose is being able to cache on an intermediate proxy, but that is relevant if you're splitting one dial-up connection among multiple clients.
Then there is the issue of small timers who want to serve a web page from home, using an old computer and dynamic hostname.
File a support ticket with your dynamic DNS provider to request addition to the Public Suffix List. If a dynamic DNS provider is on the Public Suffix List, Let's Encrypt issues 20 certificates per customer per week instead of 20 per provider per week. The other benefit of being on the PSL is that sites on the same dynamic DNS provider can't see each others' cookies.
Safari 3.42%
I thought all browsing on iPod touch, iPhone, and iPad was done through Safari (or through a third-party web browser that wraps Safari's engine). Are these only desktop numbers?
My ISP supplied me with a Fritzbox for a router. They have Let's Encrypt support in their current beta firmware.
Although they still give people shitty netgear routers if they don't have gigabit plans...
If the functionality of your system depends on yet another third party, then it isn't free.
DNS registries and registrars are third parties. What makes a CA any different from DNS in this respect?
If you don't want to expose your server to the Internet, you can use Let's Encrypt with an ACME client that supports the DNS challenge instead of the HTTP challenge.
Those dozens of background tasks are your tabs or plugins you've installed.
Of the 6 processes my instance of Chrome is currently running (with one tab open) they are:
Browser: 115MB
GPU Process: 61MB
V8: 11MB
Slashdot tab: 111MB
Adblock Plus: 162MB
uBlock: 63MB
Each additional tab is one more process. If you install dozens of plugins, you'll get dozens of processes and gigabytes of RAM usage.
Tip: Press shift-esc to open Chrome's task manager and see for yourself.
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
What you say is the same thing I said. Not every site is about having personal information transmitted or is personal in nature on the queries it responds to. Maybe I just run a site for my bathroom design business with my phone number on it. People visiting my site tell a 3rd party the same thing by simply typing the URL that they would from their full "page loads" since the only information to infer is that you're looking for a bathroom designer.
"Not to mention all the idiots who use words like boxen."
Anonymous Coward on Monday August 04, @06:49PM
You have a really good point there. While generally I think its good for internet sites to be compelled to support SSL, there should be a way for the user to create exeption rules in the browser for these situations (as with an self signed cert). With adequate warnings similar to the self signed or expired cert screens. A setting should be included in the advanced section for setting up rules as well to permit non-SSL sites
Theres no cost any more to getting an TLS cert
Yes there is. You need a domain, for instance, and it has to be a fully qualified domain name (FQDN), not something like .local from mDNS or .internal from a private DNS server. For example, what would the FQDN of the configuration page of the router, printer, or NAS on your LAN be?
You do not need your own top level domain (example.com). You can get a FQDN for free under other existing domains.
That said, you have a point, since that would significantly lower the level of trust (if you own the domain, the registrar could steal it out from under you, so you have to have some trust in them; if you get a subdomain off a third party, they can easily steal your subdomain, so you would have to trust them not to do so).
That risk is probably why the market for free FQDN's isn't very big. Most people that need one would rather just buy one for the few bucks a year it costs.
Yes. It was originally Norwegian, but was sold to "Golden Brick Capital Private Equity Fund I Limited Partnership" for $600M at the end of 2016.
He's getting rather old, but he's a good mouse.
I'm okay with a warning mechanism, such as yellow bar, or a pop-up confirmation that has a "do not show this message for this site any more" option. But to outright not allow, or repetitious prompts is too much. The little guy can't afford a fricken certificate.
Table-ized A.I.
The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the software package that runs the web server in said device.
Does letsencrypt.org issue certificates for private IP addresses now? Most such devices limit their configuration interface to the internal facing interfaces.
People will switch when they begin to have problems, tech literate excluded. People don't want nor will they know about features like this, they want just to use their browser without difficulty and without consideration of restrictive features.
You can lead a man with reason but you can't make him think.
Troll here (I was not intending to be one), sorry i messed the mark, got too focused on the atack on open source and forgot the context. It would be easy to blame my ADD , but I shuld realy bey a bit more attention to stuff like context. I must admit that destop applicstions defenetly are not the best part of the open source portfolio, I’m not shore why, maybe because UI/UxX is har to get right and allso a very specialiced field.
I think you better realize that EVERYTHING you do is getting raked over by the Chinese Government's servers
That's a possibility. It's been investigated repeatedly and nothing's been found, but that's not 100% confidence and I trust the Chinese even less than MS and Google. Of the sites I mentioned, only Pandora has any financial information from me and it wasn't transmitted through Opera. Opera's my main browser at home, but not my only one. If the Chinese want to know which news articles I read, it bothers me the same amount as if my ISP does. Chrome's probably mined deeper than Opera simply because I'll bet Google's better at it than the Chinese government.
He's getting rather old, but he's a good mouse.
Mil, security services have the keys so nothing stops them from collect it all over any generation of tech.
Police who get ISP logs will be the interesting change.
ISP will have to get some new skills if they want to keep looking over a users communications.
Ad will have to change and become part of a site in some way.
Domestic spying is now "Benign Information Gathering"
Well that might be, it is imposible for me to comment on Potplayer as I’ve nevere used it, but O cab say that vlc (plus the odd codec pack) as played everything I’ve thtown at it without issue. Is it prety no but ,at list in my view, that is secondery to it working. I’m not defending vlc nothing is perfect and improvments can allways be done, but someone much wicer then me onece said ‘The perfect is the enemy of the possible’
Ultimately it's a flawed system that is more about making money for the handful of Certificate authorities than about providing security to your average home user. Forcing everyone to HTTPS doesn't do much more than highlight CAs as the chokepoint of the Internet.
“Common sense is not so common.” — Voltaire
Not every site is about having personal information transmitted or is personal in nature on the queries it responds to.
Nor does every server operator always agree with its viewership on whether the site "is personal in nature on the queries it responds to." For example, some people find Wikipedia not "personal in nature" because they don't regularly read articles about (say) reproductive rights in a socially conservative jurisdiction.
Maybe I just run a site for my bathroom design business with my phone number on it.
How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?
You can get a FQDN for free under other existing domains.
But then you're more likely to run into CA-imposed rate limits because many subdomain providers aren't on the Public Suffix List yet.
Hosts on a personal domain need not accept connections from the public. If the domain needs a public presence, it can be hosted on some cheap static site host.
Let's Encrypt will issue a certificate to the domain owner even if the hostname in the certificate is not the hostname of a server reachable through the Internet. For unreachable hosts, Let's Encrypt verifies domain control through the ACME dns-01 challenge, which requires putting a temporary TXT record in your domain's DNS zone.
These Unicode characters are just fine on Slashdot:
It's anything above U+007F that get molested by Slashdot, such as:
I'm not posting from an iPhone. You can input these characters from any modern PC. It's just Slashdot decided to support only ASCII character input (U+0000 through U+007F) but screwed up and are actually supporting some crumby OEM code page instead (U+0000 through U+00FF).
We need to know so we can all switch to it.
Lynx's security is second to none.
Don't forget w3m and links.
227-3517
Yes there is. Aside from the hassle of configuring it, maintaining it, and troubleshooting it when it breaks, even "free" things like Let's Encrypt are not free. They will not give me a cert.
I wish I had mod points, another nail in the 'fully free' or user based internet. If the page is static and no javascript crap then you should not have to get a cert.
Yes I know your ISP could inject crap before serving it to someone, but you remind the ISP that is illegal.
There is always lynx and USENET :) We should all move back to that.
Ok so let’s blame apple, but hold on a second, did I not point out that I have nor seen this problem anywhere else? Oh well must just me me then I goes non of the people commenting on digi.no , itavisen.no or in the subreddits I follow ever post from an ios device (the to first are among norways largest it related news sites, and juging by the number of comments on apple related articles quite a few of the readers use ios devices.
They not chrome can do https right. If privately signed certain. My firewall was been https since 1997. Both show this not a safe site because of private certs.
They are idiots to say the basic local server on local sub-net is good. Or least not bad that keeps taking multiple of clicks to get through.
I think they are both get kick backs from the cert guys.
On my non-technical site (content doesn't have a bias toward users having any particular software) Safari measures (for whatever that's worth; see 1st paragraph) at 34%.
Safari is currently Mac-only among desktop platforms. I'd be surprised if over 34 percent of visitors to your site use a Mac. Or are you counting Safari for iOS in your 34 percent? Rick Schumann doesn't appear to be.
Yes I know your ISP could inject crap before serving it to someone, but you remind the ISP that is illegal.
ISP's reply: "So what? We'll continue the illegal practice."
So who has standing to sue an ISP that deliberately flouts this law? The subscriber or the operator of the site that was modified?
Answer: Nobody does. It was a trick question. Mandatory arbitration clauses are a standard practice nowadays.
even "free" things like Let's Encrypt are not free. They will not give me a cert. What they will do is let me run their software which will magically do the cert shit for me.
Or you could read the published specification for Automatic Certificate Management Environment (ACME) and write your own such software.
It also protects against spoofing servers, MITM (Man in the Middle) attacks, altering / faking / changing content in-transit (as AT&T / Verizon has done in the past).
Probably they think this is more about protecting their users than just ensuring the data can't be seen by prying EYE5.
It makes snooping much more expensive and it makes passive undetectable snooping impossible. To snoop, they have to install software on the user's computer, or the target server, or else get a CA to generate a certificate they can use to MITM the connection. All of these things are expensive to do at scale, and detectable. In the latter case, the bad certificate can be recorded and constitutes proof of the CA's misbehavior; if a rogue CA is found to have misissued a certificate, there are consequences, as Symantec and Startcom found out.
Quotation mark code points that have been in Unicode for decades (since 1993) aren't "idiosyncratic".
And this helps home routers how?
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
Incorrect. On a public website you can infer what the user is looking at via analysis of timing and payload size.
Nope, SSL ciphers fall all the time, fresh vulnerabilities, fresh attacks. Can't assume passive snooping is impossible.
I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy.
The privacy case for publicly accessible websites is tedious at best and harmful at worst. It is tedious at best because use of timing and payload length side channels have been successfully demonstrated to unmask user activities on public sites.
It is harmful to privacy because all those OSCP queries to centrally managed servers represent a new vector to track users en-masse without requiring any in-path compromise of communications channels.
TLS session caching may leak data that can be used to correlate requests within a privacy preserving overlay network.
Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS.
There exist management costs and additional RTT costs both in initial TLS setup and an additional round trip with every subsequent request. This can be mitigated in the future by using session tickets.
For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually requiring SSL of all web sites
No doubt TLS is better than nothing yet ends don't justify means. Just because you want everyone to use TLS does not make it acceptable to force others to use it if they don't want to for whatever reason.
In a world where everything is secured via TLS there is no real security. The value of compromising CAs approach infinity at the same time CAs are squeezed by the everything must be free machine (LE freeloaders). Not that CAs have any business existing in the first place. DV should be a function of the registrar who should be handling signing as a standard included feature of domain ownership for no additional cost with none of this any CA has capability to sign globally for any domain they want bullshit.
Every government in the world worth fearing is assured to have the means of compromising the system as currently deployed. As we have seen with Google's unnecessary unilateral removal of the ONLY means of detection of government compromise (key pinning) in order to support a half-baked "experimental" IETF draft that does nothing to actually prevent compromise in it's tracks it seems to me the current system worthless to anyone with a need for security beyond low value ecommerce transactions and that design is intentional. Any new features such as rolling out support for PAKEs that stand to improve security by providing off-ramps to trust not based on global PKI house-of-cards is systematically ignored by all browser vendors.
How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?
This is a good illustration of the difference between possibility and probability.
Yes it is possible for someone to change the phone number in transit over the network. What is the probability of occurrence? Is it worth my time to care? I suspect the answer to the above questions are "very small" and "hell no".
After all similar risks remain regardless:
How do viewers of your site know your competitor didn't pay the ISP to redirect your site to /dev/null?
How do you know your competitor didn't pay off your web host to hang an "out of business" banner only visible to potential customers on the other side of town?
How do viewers of your site know your competitor didn't pay the ISP to redirect your site to /dev/null?
They put the URL into a troubleshooting tool such as isup.me.
How do you know your competitor didn't pay off your web host to hang an "out of business" banner only visible to potential customers on the other side of town?
You know because your automatic site monitoring scripts notified you of failure to retrieve the root document.
On a public website you can infer what the user is looking at via analysis of timing and payload size.
How reliable is this in practice over the Internet, as opposed to a laboratory setting? And would random addition of 0 to 999 bytes of garbage headers to each response mitigate this in any way?
A split-horizon public dummy mirror with the same hostnames as the private network.
The home router firmware would presumably use the ACME dns-01 or http-01 challenge to obtain a certificate from Let's Encrypt for the hostname (not the IP address) that the user has entered into its configuration. Even if the hostname has no public CNAME, A, or AAAA record, the DNS zone can still contain the TXT record that dns-01 requires.
some ipmi still use java only others the html5 part is missing a few things that the java one can do.
"We" meaning "maybe 100 grumpy neckbeards".
Eat the rich.
the percentage of less popular browser users that actually change their user agent would not even amount to a rounding error. at 34% whether you think so or not your site is either a statistical anomaly or you do have a significant bias towards Apple users as even with mobile devices you are unlikely to climb much beyond 20% without some sort of bias as apple marketshare is just too small overall to account for a 3rd of users.
You're describing a non-issue while ignoring the real issue.
Let's Encrypt works by scripting. If you're doing it manually you're doing it wrong. The problem should be scripted around. However .... the real issue is that you can't issue a certificate to an IP address or to local domains. The problem isn't Lets Encrypt, the problem is there's literally no one who would give you the certificate you need.
What is needed is either some protocol change to allow this to be done in a different way, or some simple and and universal easy method to run your own CA for these purposes along with the ability to upload the cert. Or maybe devices should come with a universal certificate that never expires and on first access needs to be manually imported. Think of it like SSH.
-1 Incoherent.
What on Earth are you trying to say, AC?
No, they issue certificates for domains, not IP addresses. If you want to get certificates for home network devices, then the simplest thing to do is set up a subdomain like home.example.com and point a public wildcard DNS record at a machine running acme-client. Configure all of the subdomains of that you want (e.g. printer.home.example.com) and have the deploy script push them to the things on your local network. On your local network, provide a DNS server via the DHCP reply which gives local addresses for printer.home.example.com, rather than the publicly routable one.
I am TheRaven on Soylent News
You really want to integrate this with the DHCP response (though that's also not authenticated in any way). The problem with .local is that names in that namespace are not guaranteed to be unique. mycomputer.local probably exists on hundreds of LANs and the point of a DNS cert is to prove that your endpoint is who it says it is.
A good first step would be for the DHCP response to include a root cert that can be used only for things on the current network. Ideally, you probably also want something integrated with mDNS so that devices that publish their names via mDNS can also publish their cert via the same mechanism and have other parties automatically reject names if the signing cert changes. Neither of these mechanisms is very secure, but they both probably better than nothing - at least they give you reasonable protection against passive eavesdroppers.
I am TheRaven on Soylent News
It's due to apple's instance of posting characters like ' as unicode even if the site is not using unicode
Apple doesn't do this on sites not using unicode. Take a look at the HTML for this page and you will see a meta tag telling you that the encoding is UTF-8. The problem is that Slashdot explicitly advertises that it is unicode, but isn't.
The fact that it doesn't support unicode in 2017, when even my terminal does, is a secondary incompetence.
I am TheRaven on Soylent News
I'm sure my 82 year old father in-law will have no problem registering his own domain name, configuring public and private DNS servers and setting up his acme-dns client. Thanks for making life easier for him.
Anonymous Coward is trying to say that despite Apple's user base not being the largest, it has been successful at making a large profit from a smaller, richer user base. In some years, it has earned over 90 percent of all smartphone profit. Thus despite a smaller number of people using Safari, these users on the whole make more purchases in larger amounts.
I wasn't calling you a troll, i was saying the guy you were replying to was a troll.
Nice straw man. Why is your 82-year-old father-in-law doing configuring web servers on his local network if he finds these things so difficult? Oh, right, he isn't, he's buying off-the-shelf equipment that handles this stuff automatically for him.
I am TheRaven on Soylent News
Internet Explorer 13.00% Edge 3.78%
Wow...didn't know IE still had so much share and Edge hadn't taken it over yet.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
The straw man here is your imaginary world in which "off-the-shelf equipment handles this stuff automatically for him"
Have you actually bought any consumer network equipment in the past decade? Most of the things I've bought handle https already. Even a cheap (under £10) TP-Link WiFi router does (via a fairly complex dance involving public DNS records). My ISP-provided router does with a self-signed cert that I have to explicitly mark as trusted (but which is then pinned). The manual config is only an issue if you're manually configuring your own intranet server, and if you're doing that then you should know what you're doing.
I am TheRaven on Soylent News
Good work. What difference a username makes.